On May 8, 2014, at 12:03 PM, Stefan Krah
Donald Stufft
wrote: I said ?meaningful?. Almost nobody is going to ever bother googling it and the likelihood that someone is able to MITM *you* specifically is far lesser than the likelihood that someone is going to MITM one of the cdecimal users.
I'm doing this for important installs. -- That is how I installed qmail and djbdns.
Additionally your messages aren?t signed and email isn?t an authenticated profile so if someone was able to get your password they could simply spoof and email from you to the mailing list with new hashes, or edit out the description telling people to go google some stuff.
Signing messages is pointless if the key isn't well connected. Also, I'm reading the lists and would notice a "release". Most importantly, the checksum mismatch would still be found, since the old messages with the correct sum would still exist under the scenario we're talking about (i.e. not GHCQ hacking into Belgacom routers).
I’m unsure if you’re being willfully dense or if you’re just not understanding what I mean when I say “almost”. Of course there are going to be a few outliers where people do bother to do that, but it’s not going to be common place at all. But whatever, I’ve removed the warning that occurs when you install an externally hosted file [1] and it will be included in pip 1.6. I have not changed the defaults for --allow-all-external nor have I removed the warning that occurs when someone elects to install an unverifiable download. [1] https://github.com/pypa/pip/commit/9f56b79e8d ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA