[docs] [issue25255] Security of CPython Builds

Steve Dower report at bugs.python.org
Mon Sep 28 22:04:41 CEST 2015

Steve Dower added the comment:

Having read your link [2] above (at least briefly), it seems the aim is to compare hashes of builds from multiple people to verify that nobody maliciously modified the binaries.

That isn't going to work for Windows because we cryptographically sign the binaries. The only people who could produce bit-for-bit identical builds are those trusted by the PSF, and not independent people. So if you don't trust the PSF and implicitly the people trusted by the PSF, you can't actually do anything besides building your own version and using that.

However, the rest of the build is so automated that other personal variations will not occur. As I mentioned above, I have exactly one batch file to build the full span of releases for Windows, and I just run that. It's public and in the repo, so anyone else can also run it, they just won't get bit-for-bit identical builds because of timestamps, embedded paths, and certificates.


Python tracker <report at bugs.python.org>

More information about the docs mailing list