[Catalog-sig] PEP 381: server signatures (Was: Troubled by changes to PyPI usage agreement)
Tarek Ziadé
ziade.tarek at gmail.com
Thu Jan 21 00:41:13 CET 2010
2010/1/21 "Martin v. Löwis" <martin at v.loewis.de>:
>> The only verification done is the md5 hash on the file, which can be
>> changed on the mirror (nothing prevents the mirror to compute its own
>> MD5 fragments in the download URLs)
>
> That's not true. Changing the MD-5 would require to change the simple
> page, and that in turn would break the server signature to that page.
>
> In case you are unaware of the server signature, please have a look at
>
> http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html
>
I forgot about that one, thanks for the memories
> I'd appreciate if that would be added to the PEP.
>
Yes definitely, I'll do that
Regards
Tarek
--
Tarek Ziadé | http://ziade.org
More information about the Catalog-SIG
mailing list