On Thu, Jun 23, 2016 at 1:34 PM, Evgeni Burovski <evgeny.burovskiy@gmail.com
wrote:
OK, here's what I'm going to do: I'll download the wheels from Matthew's build farm, checksum them along with the source tarballs, and add the checksums to the README file which is clearsigned with my PGP signature. That file gets uploaded to PyPI, Github releases and sent along with the release announcement to a bunch of mailing lists. (like this, https://mail.scipy.org/pipermail/scipy-dev/2016-January/021189.html)
AFAICS, this would cover the main vectors, apart from (i) the build farm producing malicious stuff, (ii) RM or RM's laptop doing what it shouldn't be doing, or (iii) someone patching the wheels en route from the build farm to RM's laptop.
I don't see how to address two first points or whether we actually need to address those. The third one can be taken care of by checksumming the wheels on the build farm, so that RM can verify them on before uploading.
This is probably not too hard to do with some tweaks to MacPython's build scripts and/or terryfy download machinery Matthew described upthread (I'm still to figure out how to use that machinery, but that's separate).
I think there were problems with the terryfy machinery and signing, I asked Mathew about that before re NumPy. If you just download the built wheels, you can use twine to upload them with signatures, same with source files. <snip> Chuck