On Thu, Jun 23, 2016 at 1:34 PM, Evgeni Burovski <evgeny.burovskiy@gmail.com> wrote:

OK, here's what I'm going to do: I'll download the wheels from
Matthew's build farm, checksum them along with the source tarballs,
and add the checksums to the README file which is clearsigned with my
PGP signature.
That file gets uploaded to PyPI, Github releases and sent along with
the release announcement to a bunch of mailing lists.
(like this, https://mail.scipy.org/pipermail/scipy-dev/2016-January/021189.html)

AFAICS, this would cover the main vectors, apart from (i) the build
farm producing malicious stuff, (ii) RM or RM's laptop doing what it
shouldn't be doing, or (iii) someone patching the wheels en route from
the build farm to RM's laptop.

I don't see how to address two first points or whether we actually
need to address those. The third one can be taken care of by
checksumming the wheels on the build farm, so that RM can verify them
on before uploading.

This is probably not too hard to do with some tweaks to MacPython's
build scripts and/or terryfy download machinery Matthew described
upthread (I'm still to figure out how to use that machinery, but
that's separate).

I think there were problems with the terryfy machinery and signing, I asked Mathew about that before re NumPy. If you just download the built wheels, you can use twine to upload them with signatures, same with source files.

<snip>

Chuck