As of Python 3.5 Steve Dower has taken over the Windows builds of
Python from Martin van Loewis. He's also taken over for 2.7--though
Martin's still doing builds for 3.4.
For both versions, Steve is using all-new tooling for the build
process. The output is different, too; he's producing .exe
installers instead of .msi installers, and he has snazzy new
"web-based" installers where the initial download is small, then it
downloads the rest dynamically.
Steve's also changed the authentication process. His new installers
rely on a Windows digital signature technology called Authenticode
where the signature is built right into the .exe file. Windows
platforms will automatically authenticate executables signed with
Authenticode, so this is both secure and convenient.
Martin's build process also digitally signed the files he built, but
not using Authenticode (or at least I don't think so). Like the Mac
and source code releases, his automation used GnuPG to produce
separate ".asc" files containing digital signatures. This meant
authentication was a manual process.
The Authenticode approach sounds great. But there are advantages to
the GnuPG approach too:
- Using GnuPG means we can authenticate the files from any
platform, not just Windows. If there were a security breach on
the Python content delivery network, any developer could get
GnuPG for their platform and authenticate that the installers
are unmodified. If we use Authenitcode,
- GnuPG is agnostic about the data it digitally signs. So, for
example, Martin's build process digitally signs the Windows help
file--the ".chm" file--produced by his build process. The help
file Steve builds is currently completely unsigned; Steve says
he can try signing it but he's not sure it'll work. Note that
.chm files actually can contain live code, so this is at
least a plausible vector for attack.
My Windows development days are firmly behind me. So I don't really
have an opinion here. So I put it to you, Windows Python
developers: do you care about GnuPG signatures on Windows-specific
files? Or do you not care?
/arry
p.s. And, of course, my thanks to both Steve and Martin for their
past and continuing service to the Python community! It's a
pleasure working with each of them. (Both of them? I forget how
English works.)