On Apr 3, 2013, at 3:23 PM, Laurens Van Houtven <_...@lvh.cc> wrote:
> On Thu, Apr 4, 2013 at 12:04 AM, Glyph <gl...@twistedmatrix.com> wrote: > The release manager already _does_ sign something. Since PyCon, we do have > much better trust web integration, which is great, but that's not really > relevant to this discussion, which is just about changing what we sign and > how it gets signed. > > Yes, sorry; I thought there were just a bunch of hashes in a file somewhere, > and forgot they were signed. > > I think we should carry on with signing the list of signatures for now, and > just upgrade the hash algorithm. Baby steps. Perhaps there are some > theoretical benefits that come from signing the whole binary blob, but that's > a much bigger change for a much smaller benefit. > > If anyone does have an interest in us doing this, I think the first step > would be to write up a clear explanation of how it should be done. > > I agree. Can't we just replace "md5sum" in the command line with "shasum -a > 512"? Do we need a grace period where we deliver both the MD5 and SHA512 > sums? (Perhaps there's an automated system out there that relies on the MD5 > version being available, since that's all we have now.) Signing both certainly doesn't create any problems. I just have no idea what automation stuff parses this file as part of our _own_ release process. I was hoping someone who knew how it worked could examine it and tell me. -glyph
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
