Donald Stufft firstname.lastname@example.org wrote:
Today I've switched to manual install mode with manual sha256sum verification which is far safer than anything you get via pip right now.
It is not safer in any meaingful way.
If someone is in a position to compromise the integrity of PyPI's TLS, they can replace the hash on that page with something else. Now you've attempted to work around this by telling people to go look up the release announcement hash. However if someone can compromise the integrity of PyPI's TLS, they can also compromise the integrity of https://mail.python.org/, or GMane, or any other TLS based website.
Of course it is safer. Suppose a file is stored on PyPI:
1) Attacker guesses my username (or is it even visible, I'm not sure).
2) Clicks on "lost login".
3) Intercepts mail (difficult, but far from the TLS attack category). Maybe on a home or university network. Or a rogue person at a mail provider.
4) Changes the uploaded file together with the hash.
pip would be perfectly happy, checking the hash via Google would turn up a mismatch.