[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
"Martin v. Löwis"
martin at v.loewis.de
Wed Jun 16 01:04:36 CEST 2010
Am 16.06.2010 00:37, schrieb Fred Drake:
> On Tue, Jun 15, 2010 at 6:24 PM, Steven D'Aprano<steve at pearwood.info> wrote:
>> A digital signature is not an MD5 checksum, it may have actual legal
>> meaning in many countries equivalent to a pen and paper signature.
> I would expect that verifying a package was signed by PyPI to mean no more than
> that the bits match what's available from PyPI for the same name. (Not sure if
> that's what's in the PEP, but that's what I'd be looking for.)
It's indeed exactly that.
> We'd have to disclaim anything more than that. But it would be useful to verify
> that a package from a mirror was accurately mirrored.
There are actually two layers here: one is to verify that the
transmission was not faulty; for this, the md5sum that is already in the
simple pages should be enough (and *please* don't tell me that md5 is
Of course, an adversary could then try to modify the simple pages,
that's what the actual signatures are for.
More information about the Catalog-SIG