[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

"Martin v. Löwis" martin at v.loewis.de
Wed Jun 16 01:04:36 CEST 2010


Am 16.06.2010 00:37, schrieb Fred Drake:
> On Tue, Jun 15, 2010 at 6:24 PM, Steven D'Aprano<steve at pearwood.info>  wrote:
>> A digital signature is not an MD5 checksum, it may have actual legal
>> meaning in many countries equivalent to a pen and paper signature.
>
> I would expect that verifying a package was signed by PyPI to mean no more than
> that the bits match what's available from PyPI for the same name.  (Not sure if
> that's what's in the PEP, but that's what I'd be looking for.)

It's indeed exactly that.

> We'd have to disclaim anything more than that.  But it would be useful to verify
> that a package from a mirror was accurately mirrored.

There are actually two layers here: one is to verify that the 
transmission was not faulty; for this, the md5sum that is already in the 
simple pages should be enough (and *please* don't tell me that md5 is 
broken).

Of course, an adversary could then try to modify the simple pages, 
that's what the actual signatures are for.

Regards,
Martin


More information about the Catalog-SIG mailing list