[Catalog-sig] getting the public key when --sign is used

martin at v.loewis.de martin at v.loewis.de
Mon Nov 19 23:40:03 CET 2012

Zitat von Daniel Holth <dholth at gmail.com>:

> Unfortunately the whole signed mirror system falls down because it relies
> on md5 hashes (http://www.kb.cert.org/vuls/id/836068) although the signing
> key seems to be long enough.

You are misinterpreting the vulnerability. It does not apply to the
way in which md5 is used in PyPI.

So in no way the system "falls down".


More information about the Catalog-SIG mailing list