[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

"Martin v. Löwis" martin at v.loewis.de
Wed Jun 16 01:04:36 CEST 2010

Am 16.06.2010 00:37, schrieb Fred Drake:
> On Tue, Jun 15, 2010 at 6:24 PM, Steven D'Aprano<steve at pearwood.info>  wrote:
>> A digital signature is not an MD5 checksum, it may have actual legal
>> meaning in many countries equivalent to a pen and paper signature.
> I would expect that verifying a package was signed by PyPI to mean no more than
> that the bits match what's available from PyPI for the same name.  (Not sure if
> that's what's in the PEP, but that's what I'd be looking for.)

It's indeed exactly that.

> We'd have to disclaim anything more than that.  But it would be useful to verify
> that a package from a mirror was accurately mirrored.

There are actually two layers here: one is to verify that the 
transmission was not faulty; for this, the md5sum that is already in the 
simple pages should be enough (and *please* don't tell me that md5 is 

Of course, an adversary could then try to modify the simple pages, 
that's what the actual signatures are for.


More information about the Catalog-SIG mailing list