[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Chris Withers
chris at simplistix.co.uk
Wed Feb 1 10:18:41 CET 2012
On 01/02/2012 09:15, Richard Jones wrote:
> On 1 February 2012 19:36, Chris Withers<chris at simplistix.co.uk> wrote:
>> If you actually cared about security, you'd already be using, recording and
>> checking the MD5 checksums provided with each download and would already
>> know that this isn't a security loophole.
>>
>> If you're not, then quit with the security theater.
>
> I believe the "security theater" of MD5 was proven, and exploits
> freely available, back in 2005 :-)
Well now, that's a valid argument, so what hashing technique should we
be using? ;-)
Chris - https://twitter.com/#!/chrismcdonough/status/159877313771737088
--
Simplistix - Content Management, Batch Processing & Python Consulting
- http://www.simplistix.co.uk
More information about the Catalog-SIG
mailing list