On Jun 21, 2016 14:37, "Evgeni Burovski" <evgeny.burovskiy@gmail.com> wrote:
>
> One question --- equally applicable to both pre-release and final
> releases: Security. If we download the wheels from the build farm and
> then upload to PyPI, how can a user check that what they download has
> not be tampered with?
>
> For source tarballs (and previously, Windows installers), we PGP sign
> the git tag and include checksums in the README file. This way they
> can at least verify the checksums.

I'm dubious that this really accomplishes much:
  https://caremad.io/2013/07/packaging-signing-not-holy-grail/

But, if you want to include checksums in the README, you can do that by just downloading the build farm wheels and checksumming them. This doesn't protect against a compromised build farm, but neither does anything else. (Even PGP signing doesn't protect you if your release manager's laptop is compromised, and realistically any laptop that has write permissions on the repository could add a backdoor with no one noticing, just by pushing it directly to master with an innocuous commit message.)

OTOH even this crude download and checksum approach does at least make life more difficult for anyone who tries to compromise the packages later after the checksum is made.

-n