[docs] [issue25255] Security of CPython Builds

phelix report at bugs.python.org
Mon Sep 28 23:19:20 CEST 2015

phelix added the comment:

Thank you all for your responses.

> Having read your link [2] above (at least briefly), it seems the aim is to compare hashes of builds from multiple people to verify that nobody maliciously modified the binaries.
Exactly. Also it might protect the people actually doing the builds from extortion and accusations from backdoor victims (e.g. in case of hacked build system).

> That isn't going to work for Windows because we cryptographically sign the binaries. The only people who could produce bit-for-bit identical builds are those trusted by the PSF, and not independent people. So if you don't trust the PSF and implicitly the people trusted by the PSF, you can't actually do anything besides building your own version and using that.
Joseph tried just that but ran into issues.

> However, the rest of the build is so automated that other personal variations will not occur. As I mentioned above, I have exactly one batch file to build the full span of releases for Windows, and I just run that. It's public and in the repo, so anyone else can also run it, they just won't get bit-for-bit identical builds because of timestamps, embedded paths, and certificates.
Timestamps and paths should be handled by the Gitian secure build system (cross compile).

>From my point this issue can be closed as my questions are answered. We will take another look at building reproducibly. If we run into problems I will create another issue here in the hope you can help again. :)


Python tracker <report at bugs.python.org>

More information about the docs mailing list