[Distutils] [Python-Dev] Adventures with x64, VS7 and VS8 on Windows
lars at ibp.de
Wed May 30 00:22:31 CEST 2007
>> One feature that is easily addable and will certainly make installing
>> python on vista nicer, is to add authenticode signing to the install.
I'm +1 on authenticode.
> This I question very much. I experimented with authenticode before 2.4,
> and found it an unacceptable experience. When the MSI file starts
> running, installer needs to verify the signature, for which it needs
> to compute a hash of the entire file. For the Python MSI, this takes
> many seconds on a slower Pentium 4 machine. During that time, there
> is no visual feedback, so users are uncertain whether they have
> actually invoked the MSI file at all.
>> Currently the user is faced with a very nasty and off-putting message
>> about an unidentified program requesting access to his computer.
> Certainly. However, telling them that they have to wait just so that
> Windows finds out what they know already (that this is the MSI file
> from the Python Software Foundation, or from Martin v. Löwis) is
> even more nasty.
Educated, adult developers with good internet connections may know that,
but all users? What about software on a CD or a memory stick?
Also, software sites/mirrors have been compromised in the past, and they
are a sweet target.
I haven't looked at authenticode, but I guess it's a cryptographical
signature. That defaults to a good thing.
That the verification takes time is unfortunate, but unavoidable. That
the user interface sucks (no feedback) is a bug.
You will have the say whether Python uses authenticode, but I'm not
convinced by your arguments.
More information about the Distutils-SIG