Mailman 3 April 2015 - python-committers

[RELEASED] Python 3.5.0a4 is now available
by Larry Hastings 20 Apr '15

20 Apr '15

On behalf of the Python development community and the Python 3.5 release team, I'm thrilled to announce the availability of Python 3.5.0a4. Python 3.5.0a4 is the fourth and alpha release of Python 3.5, which will be the next major release of Python. Python 3.5 is still under development, and is not yet complete. This is a preview release, and its use is not recommended for production settings. The next release of Python 3.5 will be 3.5.0b1, the first beta release. Python 3.5 will enter "feature freeze" at this time; no new features will be added to 3.5 after this point. Python 3.5.0b1 is scheduled to be released May 22, 2015. Three important notes for Windows users about Python 3.5.0a4: * If you have previously installed Python 3.5.0a1, you may need to manually uninstall it before installing Python 3.5.0a4 (issue23612). * If installing Python 3.5.0a4 as a non-privileged user, you may need to escalate to administrator privileges to install an update to your C runtime libraries. * There is now a third type of Windows installer for Python 3.5. In addition to the conventional installer and the web-based installer, Python 3.5 now has an embeddable installer designed to be run as part of a larger application's installer for apps using or extending Python. You can find Python 3.5.0a4 here: https://www.python.org/downloads/release/python-350a4/ Happy hacking, //arry/

2 1

Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG?
by Steve Dower 17 Apr '15

17 Apr '15

"Authenticode does not have a PKI" If you got that from this discussion, I need everyone to at least skim read this: https://msdn.microsoft.com/en-us/library/ie/ms537361(v=vs.85).aspx Authenticode uses the same certificate infrastructure as SSL (note: not the same certificates). As I see it, anyone running on Windows has access to verification that is at least as good as GPG, and the only people who would benefit from GPG sigs are those checking Windows files on another OS or those with an existing GPG workflow on Windows (before this thread, I knew nobody who used GPG on Windows for anything, so forgive me for thinking this is very rare). Cheers, Steve Top-posted from my Windows Phone ________________________________ From: Wes Turner<mailto:wes.turner@gmail.com> Sent: ‎4/‎4/‎2015 6:42 To: M. -A. Lemburg<mailto:mal@egenix.com> Cc: Python-Dev<mailto:python-dev@python.org>; python-committers<mailto:python-committers@python.org>; Larry Hastings<mailto:larry@hastings.org>; Steve Dower<mailto:Steve.Dower@microsoft.com> Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG? So, AFAIU from this discussion: * Authenticode does not have a PKI * GPG does have PKI * ASC signatures are signed checksums As far as downstream packaging on Windows (people who should/could be subscribed to release ANNs): For Choclatey NuGet: * https://chocolatey.org/packages/python * https://chocolatey.org/packages/python.x86 * https://chocolatey.org/packages/python2 * https://chocolatey.org/packages/python-x86_32 * https://chocolatey.org/packages/python3 Python(x,y): * https://code.google.com/p/pythonxy/ For Anaconda (the MS Azure chosen python distribution): * http://docs.continuum.io/anaconda/install.html#windows-install ... These should/could/are checking GPG signatures for Windows packages downstream. http://www.scipy.org/install.html On Apr 3, 2015 5:38 PM, "M.-A. Lemburg" <mal(a)egenix.com<mailto:mal@egenix.com>> wrote: On 04.04.2015 00:14, Steve Dower wrote: > The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :) > > Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless there's a CA involved like there is for Authenticode, there's no existing trust in that key. Hashes only provide checks against file corruption (and then only if you can trust the hash values). GPG provides all the benefits of public key encryption on arbitrary files (not just code). The main benefit in case of downloadable installers is to be able to make sure that the files are authentic, meaning that they were created and signed by the people listed as packagers. There is no CA infrastructure involved as for SSL certificates or Authenticode, but it's easy to get the keys from key servers given the key signatures available from python.org<http://python.org>'s download pages. If you want to sign a package file using GPG, you will need to create your own key, upload it to the key servers and then place the signature up on the download page. Relying only on Authenticode for Windows installers would result in a break in technology w/r to the downloads we make available for Python, since all other files are (usually) GPG signed: https://www.python.org/ftp/python/3.4.3/ Cheers, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ > Cheers, > Steve > > Top-posted from my Windows Phone > ________________________________ > From: M.-A. Lemburg<mailto:mal@egenix.com<mailto:mal@egenix.com>> > Sent: ‎4/‎3/‎2015 10:55 > To: Steve Dower<mailto:Steve.Dower@microsoft.com<mailto:Steve.Dower@microsoft.com>>; Larry Hastings<mailto:larry@hastings.org<mailto:larry@hastings.org>>; Python Dev<mailto:python-dev@python.org<mailto:python-dev@python.org>>; python-committers<mailto:python-committers@python.org<mailto:python-committers@python.org>> > Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG? > > On 03.04.2015 19:35, Steve Dower wrote: >>> My Windows development days are firmly behind me. So I don't really have an >>> opinion here. So I put it to you, Windows Python developers: do you care about >>> GnuPG signatures on Windows-specific files? Or do you not care? >> >> The later replies seem to suggest that they are general goodness that nobody on Windows will use. If someone convinces me (or steamrolls me, that's fine too) that the goodness of GPG is better than a hash then I'll look into adding it into the process. Otherwise I'll happily add hash generation into the upload process (which I'm going to do anyway for the ones displayed on the download page). > > FWIW: I regularly check the GPG sigs on all important downloaded > files, regardless of which platform they target, including the > Windows installers for Python or any other Windows installers > I use which provide such sigs. > > The reason is simple: > The signature is a proof of authenticity which is not bound to > a particular file format or platform and before running .exes > it's good to know that they were built by the right people and > not manipulated by trojans, viruses or malicious proxies. > > Is that a good enough reason to continue providing the GPG > sigs or do you need more proof of goodness ? ;-) > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source >>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > > ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > _______________________________________________ Python-Dev mailing list Python-Dev(a)python.org<mailto:Python-Dev@python.org> https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com

4 10

Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG?
by Steve Dower 05 Apr '15

05 Apr '15

"One question, if you will - I don't think this was asked so far - is authenticode verifiable from Linux, without Windows? And does it work for users of WINE ?" I've seen some info suggesting that it's verifiable, but you do need to extract the cert and calculate the hash against less than the signed file. Seemed like Mono had a tool for it, but OpenSSL can handle the cert. Currently the new installer doesn't run on Wine because of missing APIs (since I want to discuss alternate distribution ideas I haven't treated this as a priority), and I've heard they haven't implemented enough crypto yet to handle it, but that could be outdated. "GPG sigs will provide protection against replay attacks" How does this work? Cheers, Steve Top-posted from my Windows Phone ________________________________ From: Robert Collins<mailto:robertc@robertcollins.net> Sent: ‎4/‎4/‎2015 21:59 To: Steve Dower<mailto:Steve.Dower@microsoft.com> Cc: M.-A. Lemburg<mailto:mal@egenix.com>; Larry Hastings<mailto:larry@hastings.org>; Python Dev<mailto:python-dev@python.org>; python-committers<mailto:python-committers@python.org> Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG? On 4 April 2015 at 11:14, Steve Dower <Steve.Dower(a)microsoft.com> wrote: > The thing is, that's exactly the same goodness as Authenticode gives, except > everyone gets that for free and meanwhile you're the only one who has > admitted to using GPG on Windows :) > > Basically, what I want to hear is that GPG sigs provide significantly better > protection than hashes (and I can provide better than MD5 for all files if > it's useful), taking into consideration that (I assume) I'd have to obtain a > signing key for GPG and unless there's a CA involved like there is for > Authenticode, there's no existing trust in that key. GPG sigs will provide protection against replay attacks [unless we're proposing to revoke signatures on old point releases with known security vulnerabilities - something that Window software vendors tend not to do because of the dramatic and immediate effect on the deployed base...] This is not relevant for things we're hosting on SSL, but is if anyone is mirroring our installers around. They dont' seem to be so perhaps its a bit 'meh'. OTOH I also think there is value in consistency: signing all our artifacts makes checking back on them later easier, should we need to. One question, if you will - I don't think this was asked so far - is authenticode verifiable from Linux, without Windows? And does it work for users of WINE ? -Rob -- Robert Collins <rbtcollins(a)hp.com> Distinguished Technologist HP Converged Cloud

1 0

Do we need to sign Windows files with GnuPG?
by Larry Hastings 04 Apr '15

04 Apr '15

As of Python 3.5 Steve Dower has taken over the Windows builds of Python from Martin van Loewis. He's also taken over for 2.7--though Martin's still doing builds for 3.4. For both versions, Steve is using all-new tooling for the build process. The output is different, too; he's producing .exe installers instead of .msi installers, and he has snazzy new "web-based" installers where the initial download is small, then it downloads the rest dynamically. Steve's also changed the authentication process. His new installers rely on a Windows digital signature technology called Authenticode where the signature is built right into the .exe file. Windows platforms will automatically authenticate executables signed with Authenticode, so this is both secure and convenient. Martin's build process also digitally signed the files he built, but not using Authenticode (or at least I don't think so). Like the Mac and source code releases, his automation used GnuPG to produce separate ".asc" files containing digital signatures. This meant authentication was a manual process. The Authenticode approach sounds great. But there are advantages to the GnuPG approach too: * Using GnuPG means we can authenticate the files from any platform, not just Windows. If there were a security breach on the Python content delivery network, any developer could get GnuPG for their platform and authenticate that the installers are unmodified. If we use Authenitcode, * GnuPG is agnostic about the data it digitally signs. So, for example, Martin's build process digitally signs the Windows help file--the ".chm" file--produced by his build process. The help file Steve builds is currently completely unsigned; Steve says he can try signing it but he's not sure it'll work. Note that .chm files actually /can/ contain live code, so this is at least a plausible vector for attack. My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care? //arry/ p.s. And, of course, my thanks to both Steve and Martin for their past and continuing service to the Python community! It's a pleasure working with each of them. (Both of them? I forget how English works.)

7 12

Do people prefer pushing feature repos or one massive patch?
by Brett Cannon 03 Apr '15

03 Apr '15

The implementation for PEP 488 is basically done (sans Windows installer stuff). I did the work in a features repo at https://hg.python.org/features/pep-488/ . Once I have addressed reviewer comments at http://bugs.python.org/issue23731 , would people prefer I simply push the features repo to hg.python.org/cpython and have the more granular history but have various "merge default" commits, or would people rather I do one massive commit?

10 13

changing the python version on the 2.7 branch
by Matthias Klose 02 Apr '15

02 Apr '15

We'll have the 2.7.10 release in the coming months. This will be the first release with a two digit subminor version number, so please could we prepare for that early? Feature tests in python are unfortunately way too often based on version comparisons. Suggesting to push the following patch to the 2.7 branch. The patch also changes PY_RELEASE_LEVEL to "beta" quality. Currently this is a value which is not touched on the branches. Matthias diff -r d444496e714a Include/patchlevel.h --- a/Include/patchlevel.h Wed Apr 01 16:53:53 2015 +0300 +++ b/Include/patchlevel.h Wed Apr 01 20:56:46 2015 +0200 @@ -22,12 +22,12 @@ /*--start constants--*/ #define PY_MAJOR_VERSION 2 #define PY_MINOR_VERSION 7 -#define PY_MICRO_VERSION 9 -#define PY_RELEASE_LEVEL PY_RELEASE_LEVEL_FINAL +#define PY_MICRO_VERSION 10 +#define PY_RELEASE_LEVEL PY_RELEASE_LEVEL_BETA #define PY_RELEASE_SERIAL 0 /* Version as a string */ -#define PY_VERSION "2.7.9+" +#define PY_VERSION "2.7.10-" /*--end constants--*/ /* Subversion Revision number of this file (not of the repository). Empty

3 3

python-committers April 2015