[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Chris Withers chris at simplistix.co.uk
Wed Feb 1 10:14:16 CET 2012

On 01/02/2012 09:01, Yuval Greenfield wrote:
> Would you testify that HTTP is secure because I can emulate TLS in
> javascript?

What's that got to do with the price of eggs?

> PyPI should do what it can within reason to be consistent and safe for
> all its users.

*sigh* that's what the MD5s are for. What threat, exactly are you so 
worried about here? That someone investigates and chooses to use a 
package, and then, having done so, decides to re-download an identical 
version of that package which has been maliciously uploaded, and happens 
to have the same MD5 checksum as the one they've already downloaded?


Simplistix - Content Management, Batch Processing & Python Consulting
             - http://www.simplistix.co.uk

More information about the Catalog-SIG mailing list