Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

include 3.8.0b4 #344

Open
wants to merge 1 commit into
base: master
from

Conversation

@mattip
Copy link

commented Sep 10, 2019

Try to use 3.8.0b4 in the manylinux builds
closes #314
closes #313
replaces #333

@mattip

This comment has been minimized.

Copy link
Author

commented Sep 10, 2019

Once again the build fails

+ curl -fsSLO https://www.python.org/ftp/python/3.8.0/Python-3.8.0b4.tgz
+ curl -fsSLO https://www.python.org/ftp/python/3.8.0/Python-3.8.0b4.tgz.asc
+ gpg --verify Python-3.8.0b4.tgz.asc
gpg: Signature made Thu 29 Aug 2019 10:43:07 PM UTC using RSA key ID 10250568
gpg: Can't check signature: No public key
@auvipy
Copy link
Contributor

left a comment

try to fix the build error as well

@lkollar

This comment has been minimized.

Copy link
Contributor

commented Sep 11, 2019

Link to the upstream issue: https://bugs.python.org/issue37967.

@trishankatdatadog

This comment has been minimized.

Copy link
Member

commented Sep 11, 2019

Automatic key download is a bad idea. It basically means: "trust whatever public key signed this package."

@mattip

This comment has been minimized.

Copy link
Author

commented Sep 11, 2019

@trishankatdatadog thanks. I am not so good with gpg. Is the other solution the correct one? Where does the fingerprint value come from?

gpg --fetch-keys "https://keybase.io/ambv/pgp_keys.asc?fingerprint=e3ff2839c048b25c084debe9b26995e310250568"

Context for those not following the cpython issue

``` It looks like you don't have Łukasz key and your GnuPG is not configured for automatic key download.

Automatic key download works for me:

$ gpg --verify Python-3.8.0b4.tgz.asc
gpg: assuming signed data in 'Python-3.8.0b4.tgz'
gpg: Signature made 2019-08-30T00:43:07 CEST
gpg: using RSA key E3FF2839C048B25C084DEBE9B26995E310250568
gpg: requesting key 0xB26995E310250568 from hkp server keys.fedoraproject.org
gpg: key 0xB26995E310250568: public key "Łukasz Langa (GPG langa.pl) lukasz@langa.pl" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: Good signature from "Łukasz Langa (GPG langa.pl) lukasz@langa.pl" [undefined]
gpg: aka "Łukasz Langa lukasz@python.org" [unknown]
gpg: aka "Łukasz Langa (Work e-mail account) ambv@fb.com" [undefined]
gpg: aka "[jpeg image of size 24479]" [unknown]

You could also download the key from keybase:

$ gpg --fetch-keys "https://keybase.io/ambv/pgp_keys.asc?fingerprint=e3ff2839c048b25c084debe9b26995e310250568"
gpg: requesting key from 'https://keybase.io/ambv/pgp_keys.asc?fingerprint=e3ff2839c048b25c084debe9b26995e310250568'
gpg: key 0xB26995E310250568: "Łukasz Langa (GPG langa.pl) lukasz@langa.pl" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

@trishankatdatadog

This comment has been minimized.

Copy link
Member

commented Sep 11, 2019

@mattip That may be fine as a temporary workaround, but I recommend that the official Python GPG public key list be updated before the final release of 3.8.0.

@mattip

This comment has been minimized.

Copy link
Author

commented Sep 12, 2019

It seems the resolution of bpo-37967 is to disallow using the pubkeys.txt and to remove it from the python.org website ASAP. A new solution is needed. Is there a gpg expert who can suggest how to fix this line ? Should it be like the other invocation of gpg a few lines above?

@trishankatdatadog

This comment has been minimized.

Copy link
Member

commented Sep 12, 2019

@mattip I would not recommend removing pubkeys.txt. The problem is: how do you know what the authoritative keys are? If you trust the public key attached to a signature on a Python tarball, then it could have been signed by anybody. OTOH, this assumes that attackers can sign malicious Python tarballs, but not overwrite pubkeys.txt on the Python website. There needs to be a better long term solution from the Python developers. I personally cannot recommend skipping the proper checking of signatures.

@mattip

This comment has been minimized.

Copy link
Author

commented Sep 12, 2019

@trishankatdatadog please comment on the cpython issue https://bugs.python.org/issue37967. The decision has apparently already been made. There are recommendations on the downloads link https://www.python.org/downloads/ (in the section marked "OpenPGP Public Keys") to do one of:

  • downloading the public key file (but they claim that will be removed soon)
  • grab the individual keys directly from the keyserver network by running the command gpg --recv-keys 10250568 ...
  • verify the authenticity of the download via gpg --verify Python-3.6.2.tgz.asc

Which of the last two is safe (or should we do both)?

@trishankatdatadog

This comment has been minimized.

Copy link
Member

commented Sep 12, 2019

@mattip What a bad idea. Let me comment there directly. Thanks.

@trishankatdatadog

This comment has been minimized.

Copy link
Member

commented Sep 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.