[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Donald Stufft
donald.stufft at gmail.com
Wed Feb 1 10:38:26 CET 2012
ugh it's late, that was meant to say but doesn't cover all situations (and neither does making things write only). But together things would be *a lot* more secure.
On Wednesday, February 1, 2012 at 4:30 AM, Donald Stufft wrote:
>
>
> On Wednesday, February 1, 2012 at 4:20 AM, M.-A. Lemburg wrote:
>
> > Richard Jones wrote:
> > > On 1 February 2012 19:36, Chris Withers <chris at simplistix.co.uk (mailto:chris at simplistix.co.uk)> wrote:
> > > > If you actually cared about security, you'd already be using, recording and
> > > > checking the MD5 checksums provided with each download and would already
> > > > know that this isn't a security loophole.
> > > >
> > > > If you're not, then quit with the security theater.
> > >
> > > I believe the "security theater" of MD5 was proven, and exploits
> > > freely available, back in 2005 :-)
> > >
> >
> >
> > Perhaps we ought to rename the thread to: "Proposal: add SHA hashes to
> > distribution files", then :-)
> >
> > I'd be +1 on that since it does actually add security to PyPI.
> This is a similar but doesn't also good thing to do. IMO it should be sha256, (I would say sha512 but there are slowdown issues on older pythons).
> >
> > --
> > Marc-Andre Lemburg
> > eGenix.com (http://eGenix.com)
> >
> > Professional Python Services directly from the Source (#1, Feb 01 2012)
> > > > > Python/Zope Consulting and Support ... http://www.egenix.com/
> > > > > mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
> > > > > mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
> > > > >
> > > >
> > >
> >
> > ________________________________________________________________________
> >
> > ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
> >
> >
> > eGenix.com (http://eGenix.com) Software, Skills and Services GmbH Pastor-Loeh-Str.48
> > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> > Registered at Amtsgericht Duesseldorf: HRB 46611
> > http://www.egenix.com/company/contact/
> > _______________________________________________
> > Catalog-SIG mailing list
> > Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> > http://mail.python.org/mailman/listinfo/catalog-sig
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120201/73435ec5/attachment.html>
More information about the Catalog-SIG
mailing list