[Catalog-sig] getting the public key when --sign is used
martin at v.loewis.de
martin at v.loewis.de
Mon Nov 19 23:40:03 CET 2012
Zitat von Daniel Holth <dholth at gmail.com>:
> Unfortunately the whole signed mirror system falls down because it relies
> on md5 hashes (http://www.kb.cert.org/vuls/id/836068) although the signing
> key seems to be long enough.
You are misinterpreting the vulnerability. It does not apply to the
way in which md5 is used in PyPI.
So in no way the system "falls down".
Regards,
Martin
More information about the Catalog-SIG
mailing list