[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Richard Jones richard at python.org
Wed Feb 1 10:15:54 CET 2012

On 1 February 2012 19:36, Chris Withers <chris at simplistix.co.uk> wrote:
> If you actually cared about security, you'd already be using, recording and
> checking the MD5 checksums provided with each download and would already
> know that this isn't a security loophole.
> If you're not, then quit with the security theater.

I believe the "security theater" of MD5 was proven, and exploits
freely available, back in 2005 :-)


More information about the Catalog-SIG mailing list