[Catalog-sig] PEP 381: server signatures (Was: Troubled by changes to PyPI usage agreement)

Tarek Ziadé ziade.tarek at gmail.com
Thu Jan 21 00:41:13 CET 2010

2010/1/21 "Martin v. Löwis" <martin at v.loewis.de>:
>> The only verification done is the md5 hash on the file, which can be
>> changed on the mirror (nothing prevents the mirror to compute its own
>> MD5 fragments in the download URLs)
> That's not true. Changing the MD-5 would require to change the simple
> page, and that in turn would break the server signature to that page.
> In case you are unaware of the server signature, please have a look at
> http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html

I forgot about that one, thanks for the memories

> I'd appreciate if that would be added to the PEP.

Yes definitely, I'll do that


Tarek Ziadé | http://ziade.org

More information about the Catalog-SIG mailing list