On May 8, 2014, at 11:34 AM, Stefan Krah stefan@bytereef.org wrote:
Donald Stufft donald@stufft.io wrote:
Today I've switched to manual install mode with manual sha256sum verification which is far safer than anything you get via pip right now.
It is not safer in any meaingful way.
If someone is in a position to compromise the integrity of PyPI's TLS, they can replace the hash on that page with something else. Now you've attempted to work around this by telling people to go look up the release announcement hash. However if someone can compromise the integrity of PyPI's TLS, they can also compromise the integrity of https://mail.python.org/, or GMane, or any other TLS based website[1].
Of course it is safer. Suppose a file is stored on PyPI:
1) Attacker guesses my username (or is it even visible, I'm not sure).
2) Clicks on "lost login".
3) Intercepts mail (difficult, but far from the TLS attack category). Maybe on a home or university network. Or a rogue person at a mail provider.
4) Changes the uploaded file together with the hash.
pip would be perfectly happy, checking the hash via Google would turn up a mismatch.
I said “meaningful”. Almost nobody is going to ever bother googling it and the likelihood that someone is able to MITM you specifically is far lesser than the likelihood that someone is going to MITM one of the cdecimal users.
Additionally your messages aren’t signed and email isn’t an authenticated profile so if someone was able to get your password they could simply spoof and email from you to the mailing list with new hashes, or edit out the description telling people to go google some stuff.
Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA