[Distutils] [Python-Dev] Adventures with x64, VS7 and VS8 on Windows

"Martin v. Löwis" martin at v.loewis.de
Wed May 30 07:10:20 CEST 2007

>> Certainly. However, telling them that they have to wait just so that
>> Windows finds out what they know already (that this is the MSI file
>> from the Python Software Foundation, or from Martin v. Löwis) is
>> even more nasty.
> Educated, adult developers with good internet connections may know that,
> but all users? What about software on a CD or a memory stick?

Also, I believe users *still* get a confirmation window, just the
message changes from "we don't know who wrote this software" to
"we know PSF wrote it - do you trust them?"

So, "all users" aren't any better off with authenticode.

> I haven't looked at authenticode, but I guess it's a cryptographical
> signature. 


> That defaults to a good thing.

That's a very common pitfall, and untrue. People are talked into
believing that signed software is "more trustworthy" than unsigned
software. This is absolutely not the case. The signed software may
just as well contain malware. The only difference is that you can
go after the author - provided you can get hold of him, and provided
you can prove (in court) that it was actual that software that
caused the damage. Depending on the malware, you may not even know
that damage was made, e.g. if it was signed spyware.

So code-signing can very realistically give a false sense of
security. This is *not* a good thing.

> You will have the say whether Python uses authenticode, but I'm not
> convinced by your arguments.

I think I'll have to produce a signed version of the 2.5.1 installer, so
that people can see for themselves.


More information about the Distutils-SIG mailing list