[Catalog-sig] PEP 381: server signatures (Was: Troubled by changes to PyPI usage agreement)

"Martin v. Löwis" martin at v.loewis.de
Thu Jan 21 00:35:27 CET 2010

> The only verification done is the md5 hash on the file, which can be
> changed on the mirror (nothing prevents the mirror to compute its own
> MD5 fragments in the download URLs)

That's not true. Changing the MD-5 would require to change the simple
page, and that in turn would break the server signature to that page.

In case you are unaware of the server signature, please have a look at


I'd appreciate if that would be added to the PEP.


More information about the Catalog-SIG mailing list