[Catalog-sig] Proposal: close the PyPI file-replacement loophole
M.-A. Lemburg
mal at egenix.com
Wed Feb 1 10:20:24 CET 2012
Richard Jones wrote:
> On 1 February 2012 19:36, Chris Withers <chris at simplistix.co.uk> wrote:
>> If you actually cared about security, you'd already be using, recording and
>> checking the MD5 checksums provided with each download and would already
>> know that this isn't a security loophole.
>>
>> If you're not, then quit with the security theater.
>
> I believe the "security theater" of MD5 was proven, and exploits
> freely available, back in 2005 :-)
Perhaps we ought to rename the thread to: "Proposal: add SHA hashes to
distribution files", then :-)
I'd be +1 on that since it does actually add security to PyPI.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Feb 01 2012)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list