On 28.05.2015 19:46, Pauli Virtanen wrote:
28.05.2015, 20:35, Sturla Molden kirjoitti:
Pauli Virtanen
wrote: Is it possible to host them on github? I think there's an option to add release notes and (apparently) to upload binaries if you go to the "Releases" section --- there's one for each tag.
And then Sourceforge will put up tainted installers "for the benefit of NumPy users". :)
Well, let them. They may already be tainted, who knows. It's phishing and malware distribution at that point, and there are some ways to deal with that (safe browsing, AV etc).
there is no guarantee that github will not do this stuff in future too, also PyPI or self hosting do not necessarily help as those resources can be compromised. The main thing that should be learned this and the many similar incidents in the past is that binaries from the internet need to be verified of they have been modified from their original state otherwise they cannot be trusted. With my mail I wanted to bring to attention that both numpy (since 1.7.2) and scipy (since 0.14.1) allow users to do so via the signed README.txt containing checksums.