[Distutils] Removing wheel signing features from the wheel library
Thomas Kluyver
thomas at kluyver.me.uk
Fri Mar 23 03:45:18 EDT 2018
On Fri, Mar 23, 2018, at 6:56 AM, alex.gronholm at nextday.fi wrote:
> If someone wanted to make a malicious file, what's preventing them
> from modifying the RECORD to match the modified file when there is no
> cryptographic signing involved?
Right: you need a way to verify RECORD on top of that. Like the signatures, or way to distribute hashes of RECORD files separately. The hashes in RECORD are a foundation for building security systems, not a security system in themselves.
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180323/e752acd0/attachment-0001.html>
More information about the Distutils-SIG
mailing list