[tor-dev] Reproducibility of Pluggable Transports python.msi

Jeremy Rand biolizard89 at gmail.com
Sun Sep 6 23:26:16 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I was looking at the Gitian descriptor for the pluggable transports at
https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitia
n/descriptors/windows/gitian-pluggable-transports.yml
, and I noticed that it has an input file called "python.msi".
Furthermore, I noticed the following line in
https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitia
n/versions
:

PYTHON_MSI_URL=https://www.python.org/ftp/python/${PYTHON_VER}/${PYTHON_
MSI_PACKAGE}

- From this, I conclude that Python is not being built in Gitian, and
the download from www.python.org is assumed to be safe / not
backdoored.  Is this correct?

If I'm correct, is there a reason that Python is not being built in
Gitian?  Was it attempted and found that Python cannot easily be built
for Windows in Gitian?  Or was it not attempted and just still on the
to-do list?  I don't see any relevant ticket on Trac.

Thanks,
- -Jeremy Rand
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV7Mt1AAoJEAHN/EbZ1y06nL8QAM4qhFMupoippBIvI4JwlLZ6
Vf4wNWA2/IY+62DQ4hpkPRPX/vT48lJIJnPXUxQ427ruX/txYs+T8Yw/RyiW6eq8
AWrkj3DZTYE4RtgEnTazA7NEpiv0YFOuRdyKoyjZyR1MAZTWpZ12TS/hkXaksWsx
mZX7EJMv9GBNthMLGoJ5cpTdXymhbGgvOGcF1esxZlzEQnusbaMjCNHv+GzLXGBr
xEFUzjuIeuvzZxHgmTqTujjMev9kMYqpRVoyg2JbRhZz/LwbfuQssDMlTRVOmpCu
FwCw9RbyZyaBzrnoZLbJ9hs6JQz/cKYcv0kOmEncTprc6IVdZDnMj5guT0rwUycn
r9x0ZB0Uz7FRPnqIgmeHLn9JmFPuF9IWc6Kl3fILNsYMCF+AyOBAB7QVFgSftXMQ
2+ifWG6OdAZfM0jau1L6phlILJtvc79ClHhp86wIeSQ7k0mEKn9JOzEg+YRXLS4L
ZAoTFKSfNrukMtmdUhgb97yl7MA+wsdWCpMybZRpSJQYMiNlL33njG8kYMdbuhX/
uDTFmc1b3IGWhfRdAtaIK9sZzkTYTzFg30Ypr8uYte7McU+QOMHbWZGZ46KL79k7
uZxPt2bcKSzEP9KP28Pkz0Hc0v0qGYD0BrAzeYkYVB9FhLQF5vs1jDfn2YI7VQbI
HSs0NTTkxWHkro3tnzeU
=jg/n
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list