Bogus 3.10 beta 1 build?

Core Development
1

GitHub Actions provides Python versions, and made a 3.10beta1 a few weeks ago: [versions-manifest] Update for release from 04/19/2021 by github-actions · Pull Request #92 · actions/python-versions · GitHub

They say it’s because of this .tgz on python.org: https://www.python.org/ftp/python/3.10.0/Python-3.10.0b1.tgz

Where did that .tgz come from? Should it be removed?

2

The .tgz has been already removed. See: Bogus "3.10.0-beta.1" release · Issue #207 · actions/setup-python · GitHub

I am investigating what process has created such tarball so this doesn’t happen again. I checked and there was no other trace of this so my guess is that this has been some kind of automation or human error at some problem in the download server.

3

I’m seeing an invalid signature on the 3.10.0b1 published yesterday on manylinux image builds.
Could this be related (i.e. leftover signature from the bogus build?) ?

[root@cf490f59ea99 ~]# gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 64E628F8D684696D
gpg: requesting key D684696D from hkp server ha.pool.sks-keyservers.net
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key D684696D: public key "Pablo Galindo Salgado <pablogsal@gmail.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[root@cf490f59ea99 ~]# curl -fsSLO https://www.python.org/ftp/python/3.10.0/Python-3.10.0b1.tgz.asc
[root@cf490f59ea99 ~]# curl -fsSLO https://www.python.org/ftp/python/3.10.0/Python-3.10.0b1.tgz
[root@cf490f59ea99 ~]# gpg --verify Python-3.10.0b1.tgz.asc
gpg: Signature made Mon 12 Apr 2021 04:43:00 PM UTC using RSA key ID 168BD847
gpg: BAD signature from "Pablo Galindo Salgado <pablogsal@gmail.com>"
4

Is possible, I will investigate today.

5

Seems that the CDN was serving the old bogus file for the signature. I have purged the CDN and this should pick up the new signature:

/tmp
❯ curl -fsSLO https://www.python.org/ftp/python/3.10.0/Python-3.10.0b1.tgz

/tmp
❯ curl -fsSLO https://www.python.org/ftp/python/3.10.0/Python-3.10.0b1.tgz.asc

/tmp
❯ gpg --verify Python-3.10.0b1.tgz.asc
gpg: assuming signed data in 'Python-3.10.0b1.tgz'
gpg: Signature made Mon 03 May 2021 08:36:13 PM BST
gpg:                using RSA key CFDCA245B1043CF2A5F97865FFE87404168BD847
gpg: Good signature from "Pablo Galindo Salgado <pablogsal@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A035 C8C1 9219 BA82 1ECE  A86B 64E6 28F8 D684 696D
     Subkey fingerprint: CFDC A245 B104 3CF2 A5F9  7865 FFE8 7404 168B D847
2 Likes
6

FWIW, my publish script purges everything that it publishes every time (see Tools/msi/purge.py). Might be worth adding something similar to the other publish scripts?

7

Great idea! I incorporated a CDN purge step to the release automation script I am using!

1 Like