[Distutils] [Python-Dev] Adventures with x64, VS7 and VS8 on Windows

Lars Immisch lars at ibp.de
Wed May 30 00:22:31 CEST 2007


>> One feature that is easily addable and will certainly make installing
>> python on vista nicer, is to add authenticode signing to the install.

I'm +1 on authenticode.

> This I question very much. I experimented with authenticode before 2.4,
> and found it an unacceptable experience. When the MSI file starts
> running, installer needs to verify the signature, for which it needs
> to compute a hash of the entire file. For the Python MSI, this takes
> many seconds on a slower Pentium 4 machine. During that time, there
> is no visual feedback, so users are uncertain whether they have
> actually invoked the MSI file at all.
>> Currently the user is faced with a very nasty and off-putting message
>> about an unidentified program requesting access to his computer.
> Certainly. However, telling them that they have to wait just so that
> Windows finds out what they know already (that this is the MSI file
> from the Python Software Foundation, or from Martin v. Löwis) is
> even more nasty.

Educated, adult developers with good internet connections may know that, 
but all users? What about software on a CD or a memory stick?

Also, software sites/mirrors have been compromised in the past, and they 
are a sweet target.

I haven't looked at authenticode, but I guess it's a cryptographical 
signature. That defaults to a good thing.

That the verification takes time is unfortunate, but unavoidable. That 
the user interface sucks (no feedback) is a bug.

You will have the say whether Python uses authenticode, but I'm not 
convinced by your arguments.

- Lars

More information about the Distutils-SIG mailing list