Message 251786 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	phelix
Recipients	brett.cannon, docs@python, ezio.melotti, paul.moore, phelix, steve.dower, tim.golden, willingc, zach.ware
Date	2015-09-28.18:53:23
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1443466403.53.0.210891042076.issue25255@psf.upfronthosting.co.za>
In-reply-to

Content
@Brett: Thanks for the info, I had not noticed PEP 101 had been updated. @Paul: Ah, I had not found PCBuild/readme.txt yet. I did look at the devguide but I got the impression it was mostly meant for debug builds. > Basically through trusting the people who produce the builds. I assume these builders are very experienced and well known developers (thanks btw I like Python very much). I would trust them a very long way. But it is not their integrity that is in question. Python is so popular that there might be large monetary (and other) incentives to force builders into something. Just for Bitcoin alone probably millions of dollars. I was only recently made aware about this from Namecoin team members (and this [1] video about reproducible builds from CCC14) but as far as I see it now there is a very valid core in their argumentation. Our well respected team member Joseph Bisch has looked into reproducible builds of CPython and concluded that it might a difficult thing to do with a project as large as Python [2]. But maybe there are other ways to make builds more secure? I realize it is a lot I am asking here but build security will certainly get more and more important with time. Could things be improved by getting several developers together to create a secure VM as a starting point that make reproducible builds easier? [1] https://media.ccc.de/browse/congress/2014/31c3_-_6240_-_en_-_saal_g_-_201412271400_-_reproducible_builds_-_mike_perry_-_seth_schoen_-_hans_steiner.html#video&t=18 [2] https://forum.namecoin.info/viewtopic.php?p=15869#p15869

@Brett: Thanks for the info, I had not noticed PEP 101 had been updated.

@Paul: Ah, I had not found PCBuild/readme.txt yet. I did look at the devguide but I got the impression it was mostly meant for debug builds.

> Basically through trusting the people who produce the builds.
I assume these builders are very experienced and well known developers (thanks btw I like Python very much). I would trust them a very long way.

But it is not their integrity that is in question. Python is so popular that there might be large monetary (and other) incentives to force builders into something. Just for Bitcoin alone probably millions of dollars.

I was only recently made aware about this from Namecoin team members (and this [1] video about reproducible builds from CCC14) but as far as I see it now there is a very valid core in their argumentation.

Our well respected team member Joseph Bisch has looked into reproducible builds of CPython and concluded that it might a difficult thing to do with a project as large as Python [2]. But maybe there are other ways to make builds more secure? I realize it is a lot I am asking here but build security will certainly get more and more important with time. Could things be improved by getting several developers together to create a secure VM as a starting point that make reproducible builds easier?

[1] https://media.ccc.de/browse/congress/2014/31c3_-_6240_-_en_-_saal_g_-_201412271400_-_reproducible_builds_-_mike_perry_-_seth_schoen_-_hans_steiner.html#video&t=18
[2] https://forum.namecoin.info/viewtopic.php?p=15869#p15869

History
Date	User	Action	Args
2015-09-28 18:53:23	phelix	set	recipients: + phelix, brett.cannon, paul.moore, tim.golden, ezio.melotti, docs@python, zach.ware, steve.dower, willingc
2015-09-28 18:53:23	phelix	set	messageid: <1443466403.53.0.210891042076.issue25255@psf.upfronthosting.co.za>
2015-09-28 18:53:23	phelix	link	issue25255 messages
2015-09-28 18:53:23	phelix	create