[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Chris Withers chris at simplistix.co.uk
Wed Feb 1 10:18:41 CET 2012

On 01/02/2012 09:15, Richard Jones wrote:
> On 1 February 2012 19:36, Chris Withers<chris at simplistix.co.uk>  wrote:
>> If you actually cared about security, you'd already be using, recording and
>> checking the MD5 checksums provided with each download and would already
>> know that this isn't a security loophole.
>> If you're not, then quit with the security theater.
> I believe the "security theater" of MD5 was proven, and exploits
> freely available, back in 2005 :-)

Well now, that's a valid argument, so what hashing technique should we 
be using? ;-)

Chris - https://twitter.com/#!/chrismcdonough/status/159877313771737088

Simplistix - Content Management, Batch Processing & Python Consulting
             - http://www.simplistix.co.uk

More information about the Catalog-SIG mailing list