[Catalog-sig] getting the public key when --sign is used
Tarek Ziadé
tarek at ziade.org
Mon Nov 19 23:03:50 CET 2012
On 11/19/12 11:01 PM, Daniel Holth wrote:
> Unfortunately the whole signed mirror system falls down because it
> relies on md5 hashes (http://www.kb.cert.org/vuls/id/836068) although
> the signing key seems to be long enough. What would it take to get
> SHA-2 (or 3) added?
No, the mirroring protocol use SHA
http://www.python.org/dev/peps/pep-0381/#mirror-authenticity
The md5 hash is only a crc-check added in the tarball url
More information about the Catalog-SIG
mailing list