Hi,
I'm not familiar with the Python release process, but looking at the latest
release
https://www.python.org/downloads/release/python-3101/
we can see MD5 is still used ... which doesn't sound right in 2021 ...
especially since we proved it's possible to build different .tar.gz that have
the same MD5
https://twitter.com/ydroneaud/status/1448659749604446211
https://twitter.com/angealbertini/status/1449736035110461443
You would reply there's OpenPGP / GnuPG signature. But then I would like to
raise
another issue regarding the release process:
As the announcement on comp.lang.python.announce
/python-announce-l...@python.org
doesn't record the release digest / release signature, the operator behind
https://www.python.org/downloads/release/python-3101/ are free to change the
release
content at any time, provided there's a valid signature. And there will no way
for
us to check the release wasn't modified after the announcement.
It would be great ifhttps://www.python.org/dev/peps/pep-0101/ would be improved
from the naive:
"Write the announcement for the mailing lists. This is the fuzzy bit because
not
much can be automated. You can use an earlier announcement as a template, but
edit it for content!"
to require the release announcement to record release archives digests as SHA-2
256
(added point if the announcement is signed), or the armored OpenPGP signatures
(but's
that a lot of base64 characters).
Should I open a bug for this issue ?
Regards.
--
Yann Droneaud
OPTEYA
___
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at
https://mail.python.org/archives/list/python-dev@python.org/message/6NI6V7DHTXCTUTNC2C5YSGOB6UJRFUDR/
Code of Conduct: http://python.org/psf/codeofconduct/
