[Catalog-sig] Proposal: close the PyPI file-replacement loophole

[Richard Jones]

On 1 February 2012 19:36, Chris Withers <chris at simplistix.co.uk> wrote:
> If you actually cared about security, you'd already be using, recording and
> checking the MD5 checksums provided with each download and would already
> know that this isn't a security loophole.
>
> If you're not, then quit with the security theater.

I believe the "security theater" of MD5 was proven, and exploits
freely available, back in 2005 :-)


     Richard