[Distutils] [Python-Dev] Adventures with x64, VS7 and VS8 on Windows

Lars Immisch lars at ibp.de
Wed May 30 10:43:34 CEST 2007

Dear Martin,

>> Educated, adult developers with good internet connections may know that,
>> but all users? What about software on a CD or a memory stick?
> Also, I believe users *still* get a confirmation window, just the
> message changes from "we don't know who wrote this software" to
> "we know PSF wrote it - do you trust them?"

Ugh. Still better than a warning.

> So, "all users" aren't any better off with authenticode.
>> I haven't looked at authenticode, but I guess it's a cryptographical
>> signature. 
> Correct.
>> That defaults to a good thing.
> That's a very common pitfall, and untrue. People are talked into
> believing that signed software is "more trustworthy" than unsigned
> software. This is absolutely not the case. The signed software may
> just as well contain malware. The only difference is that you can
> go after the author - provided you can get hold of him, and provided
> you can prove (in court) that it was actual that software that
> caused the damage. Depending on the malware, you may not even know
> that damage was made, e.g. if it was signed spyware.

Yes, I am aware of that. But the signature makes a man-in-the-middle 
attack harder.

> So code-signing can very realistically give a false sense of
> security. This is *not* a good thing.
>> You will have the say whether Python uses authenticode, but I'm not
>> convinced by your arguments.
> I think I'll have to produce a signed version of the 2.5.1 installer, so
> that people can see for themselves.

That is a friendly idea. Thank you.

- Lars

More information about the Distutils-SIG mailing list