Moore, Paul wrote:
From: Keith Jackson [mailto:krjackson@lbl.gov]
A single S/MIME email from you or Jack would totally suffice for me
for
the short term. That way I could look in the archive, verify the sig, and know that the hashes are valid. (Assuming you and Jack aren't really black hats. :)
Ironically, that message just came through with an "invalid digital signature" warning. I've no idea what Outlook (yes, I know, so sue me) considers in making this judgement, but I no longer trust anything you say, in case you are not who you say you are :-)
FWIW, the PSF will start creating a web of trust which should allow you to trust signatures if you see them on the web without actually knowing the person owning the signature.
On a more serious note, this demonstrates why I don't trust digital signatures much. Unless this really *was* someone else masquerading as Keith, what do I do? I've never seen a genuinely hacked download, to my knowledge, but I *have* seen warnings and errors from invalid signatures. So ignoring signature errors is the correct approach, based on the evidence I have encountered!
I'm not trying to argue the case, just to demonstrate how the world looks from the POV of security-naive people like me...
Perhaps distutils should simply start to add MD5 or SHA hash sums of the created archives to the meta-data which gets uploaded to e.g. PyPI. That way, the user can easily see whether a mirror has the correct packages or not. Better than nothing, I'd say, and easy to implement even without having to go through all the PKI stuff :-) -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 03 2004)
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
2004-01-23: Released mxODBC.Zope.DA 1.0.8 http://zope.egenix.com/ ::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! ::::