release-tools icon indicating copy to clipboard operation
release-tools copied to clipboard

Published 20 hours ago verified publisher icon python

Include sha256 hashes of release downloads in announcement communications

Open gpshead opened this issue 3 years ago • 4 comments
trafficstars

BPO 46077
Nosy @gpshead, @ydroneaud

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2021-12-15.01:40:48.306>
labels = ['deferred-blocker', '3.9', '3.10', '3.11']
title = 'Include sha256 hashes of release downloads in announcement communications'
updated_at = <Date 2021-12-15.08:49:37.120>
user = 'https://github.com/gpshead'

bugs.python.org fields:

activity = <Date 2021-12-15.08:49:37.120>
actor = 'ydroneaud'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = []
creation = <Date 2021-12-15.01:40:48.306>
creator = 'gregory.p.smith'
dependencies = []
files = []
hgrepos = []
issue_num = 46077
keywords = []
message_count = 1.0
messages = ['408579']
nosy_count = 2.0
nosy_names = ['gregory.p.smith', 'ydroneaud']
pr_nums = []
priority = 'deferred blocker'
resolution = None
stage = None
status = 'open'
superseder = None
type = None
url = 'https://bugs.python.org/issue46077'
versions = ['Python 3.9', 'Python 3.10', 'Python 3.11']

gpshead avatar Dec 15 '21 01:12 gpshead

The announcement email list (https://mail.python.org/archives/list/[email protected]/) and other places we make announcements beyond just the release pages like https://www.python.org/downloads/release/python-3101/ should include a list of sha256 hashes of the release binaries in the announcement text.

This serves as an alternative confirmation that nothing has changed as such announcements are widely distributed and archived by independent parties and individuals and can thus convey a level of trust that a hash listed on the downloads page cannot (where an attacker would simply modify both).

Yes there is a gpg signature on the downloads. I encourage people to use that. But this provides an alternate distributed mechanism to verify that nothing has changed at all since the release announcement. Something a gpg signature cannot fully do (consider this protection against the possibility of new signed binary being put into its place by a compromised key/signer/builder/RM before anyone happens to notice and poke around).

A simple table of:

filename.tar.gz | sha256 hash filename.msi | sha256 hash filename.dmg | sha256 hash ...

At the end of the announcement email/post would suffice.

Less of an issue on source packages as those can be verified against the git repo. But it's nice for people to know if binaries change without an announcement and explanation and is easy for us to provide.

Bonus points if the release announcement email body itself is signed (if that is even feasible per our release signing GPG key management).

[context: see recent python-dev subject: Python release announcement format]

gpshead avatar Dec 15 '21 01:12 gpshead

⚠️ This issue has been updated from 'deferred-blocker' to 'release blocker' as we are past beta1. This issue will block the next release (Python 3.11.0 beta 2). ⚠️

pablogsal avatar May 09 '22 17:05 pablogsal

I have a proposal for a slightly simpler approach. Instead of a table I recommend to use the BSD-style checksum format. It's an established file format that contains digest algorithm, file name and digest per line. Standard sha256sum can create and validate the file:

$ sha256sum --tag [pP]ython* > sha256sum.txt
$ cat sha256sum.txt
SHA256 (python-3.10.5-amd64.exe) = 69165821dad57c6d8d29ec8598933db7c4498f8ef9d477fa13c677fd82567b58
SHA256 (python3105.chm) = d017a9edad1857eb3cee1eeec89de75742aec20da09957f6eff2bffe29c3d9e8
SHA256 (python-3.10.5-embed-amd64.zip) = a58959ac2b636105fa7c2308508c281f578a70fda15249a04d04b4d26b5ea2cf
SHA256 (python-3.10.5-embed-win32.zip) = af0b0aabab13faaa149f66793457aa4866517aa07552ab93a684f08c864cc4c9
SHA256 (python-3.10.5.exe) = 66840f49275bf6ca66a40f1faf9b79ff135779109086f59b25452a480ec54ba4
SHA256 (python-3.10.5-macos11.pkg) = 36ff0f2ef1fdd8603042576d206224a76db32a0000e8332877751f86d98abc53
SHA256 (Python-3.10.5.tar.xz) = 8437efd5b106ef0a75aabfbf23d880625120a73a86a22ade4d2e2e68d7b74486
SHA256 (Python-3.10.5.tgz) = 18f57182a2de3b0be76dfc39fdcfd28156bb6dd23e5f08696f7492e9e3d0bf2d

validation

$ sha256sum --check sha256sum.txt 
python-3.10.5-amd64.exe: OK
python3105.chm: OK
python-3.10.5-embed-amd64.zip: OK
python-3.10.5-embed-win32.zip: OK
python-3.10.5.exe: OK
python-3.10.5-macos11.pkg: OK
Python-3.10.5.tar.xz: OK
Python-3.10.5.tgz: OK

validation with missing files

$ rm *.exe *.chm
$ sha256sum --check --ignore-missing sha256sum.txt 
python-3.10.5-embed-amd64.zip: OK
python-3.10.5-embed-win32.zip: OK
python-3.10.5-macos11.pkg: OK
Python-3.10.5.tar.xz: OK
Python-3.10.5.tgz: OK

tiran avatar Jul 08 '22 13:07 tiran

Transferred from the CPython repo

pablogsal avatar Jul 11 '22 19:07 pablogsal