[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Chris Withers
chris at simplistix.co.uk
Wed Feb 1 10:14:16 CET 2012
On 01/02/2012 09:01, Yuval Greenfield wrote:
> Would you testify that HTTP is secure because I can emulate TLS in
> javascript?
What's that got to do with the price of eggs?
> PyPI should do what it can within reason to be consistent and safe for
> all its users.
*sigh* that's what the MD5s are for. What threat, exactly are you so
worried about here? That someone investigates and chooses to use a
package, and then, having done so, decides to re-download an identical
version of that package which has been maliciously uploaded, and happens
to have the same MD5 checksum as the one they've already downloaded?
Chris
--
Simplistix - Content Management, Batch Processing & Python Consulting
- http://www.simplistix.co.uk
More information about the Catalog-SIG
mailing list