[Catalog-sig] PEP 381: server signatures (Was: Troubled by changes to PyPI usage agreement)
ziade.tarek at gmail.com
Thu Jan 21 00:41:13 CET 2010
2010/1/21 "Martin v. Löwis" <martin at v.loewis.de>:
>> The only verification done is the md5 hash on the file, which can be
>> changed on the mirror (nothing prevents the mirror to compute its own
>> MD5 fragments in the download URLs)
> That's not true. Changing the MD-5 would require to change the simple
> page, and that in turn would break the server signature to that page.
> In case you are unaware of the server signature, please have a look at
I forgot about that one, thanks for the memories
> I'd appreciate if that would be added to the PEP.
Yes definitely, I'll do that
Tarek Ziadé | http://ziade.org
More information about the Catalog-SIG