On Tuesday, February 12, 2019, Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2019-02-12 18:42:29 -0500 (-0500), Wes Turner wrote: [...]
All it has to be is an archive containing a setup.py.
"MD5 considered harmful today: Creating a rogue CA certificate" (2008) https://www.win.tue.nl/hashclash/rogue-ca/
You keep trotting out PKI examples as if they have anything whatsoever to do with checksumming, but I'm quickly getting the distinct impression you don't actually know the difference so I'll stop now as we've gone well off-topic for this list. -- Jeremy Stanley
you hash the file. the hash is compared against a list. if the hash matches, it's considered valid. In 2008, they were able to generate a file that has the same MD5 hash as one in a list of considered-good hashes, which is also a valid x.509 cert. How is that at all different from generating an archive with a setup.py that has the same hash as something listed on PyPI? Trotting ... "Westminster Dad Show" https://youtu.be/2S2gQjTURvU ... Now you've suggested that I'm FUD'ing: is there a difference between finding an x.509 cert hash and a .tgz/.zip with a setup.py or setup.pyc hash? Maybe there's something fundamental that I've misunderstood? (So sorry to interrupt)