[docs] [issue25255] Security of CPython Builds

Steve Dower report at bugs.python.org
Mon Sep 28 22:00:51 CEST 2015

Steve Dower added the comment:

I do need to contribute some PEP 101 updates at some point, since the Windows build no longer resembles what is described there, but it's mostly about configuration.

* Install x, y, z
* Obtain extra externals
* Install signing certificate
* Configure non-default settings
* Check out correct repo/branch
* Run tools/msi/buildrelease.cmd
(Optional: install x, configure SSH key, run tools/msi/uploadrelease.cmd)

Since I can't release the PSF signing key or my own GPG key, there's only so automated this configuration can be. The "correct repo/branch/changeset" varies depending on the RM, and not all of the build tests are automatically verified (high chance of false positives that require manual inspection).

Probably the first thing I should do is put the extra externals (binutils, gpg, htmlhelp, redist and wix) onto svn.python.org with the others and grab them automatically. I can add checks for configuration (things like the eol extension not being enabled, for example) and the default build doesn't need a signing certificate, so that's optional too.

But the overriding point is, these things aren't required for most people, and automating them is going to be pretty restrictive. For example, I would have to automate it by detecting VS 2015 and failing if it's not there - otherwise you don't have repeatability - and that's going to prevent people using earlier or later versions of VS for their own uses. HTML Help is basically stable (a.k.a. dead), but gpg and binutils are frequently updated and locking them down is also restrictive. Also, people may want to use their own MinGW or GPG installs, while I don't want to do that, so the model I use for building would be restrictive there too.

Finally, so few people actually want to produce builds that I can do plenty of work to make it easy, and there may be major issues that are never discovered because nobody else uses it.


Python tracker <report at bugs.python.org>

More information about the docs mailing list