[Catalog-sig] PEP 381: server signatures (Was: Troubled by changes to PyPI usage agreement)
"Martin v. Löwis"
martin at v.loewis.de
Thu Jan 21 00:35:27 CET 2010
> The only verification done is the md5 hash on the file, which can be
> changed on the mirror (nothing prevents the mirror to compute its own
> MD5 fragments in the download URLs)
That's not true. Changing the MD-5 would require to change the simple
page, and that in turn would break the server signature to that page.
In case you are unaware of the server signature, please have a look at
I'd appreciate if that would be added to the PEP.
More information about the Catalog-SIG