[Catalog-sig] getting the public key when --sign is used

Daniel Holth dholth at gmail.com
Mon Nov 19 23:53:46 CET 2012

On Nov 19, 2012, at 5:40 PM, martin at v.loewis.de wrote:

> Zitat von Daniel Holth <dholth at gmail.com>:
>> Unfortunately the whole signed mirror system falls down because it relies
>> on md5 hashes (http://www.kb.cert.org/vuls/id/836068) although the signing
>> key seems to be long enough.
> You are misinterpreting the vulnerability. It does not apply to the
> way in which md5 is used in PyPI.
> So in no way the system "falls down".
> Regards,
> Martin

I can't create two colliding uploads, uploading the first (harmless version) to pypi and then tricking someone into mirroring the second (harmful) version? The system is not designed to protect the uploaded contents at all?

Perhaps it doesn't fall down for some reason, but the cert recommendation is:

Do not use the MD5 algorithm
Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.

So why not start using sha256? The site would appear more modern, and at the very least people like me would stop complaining about it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121119/fdf897a0/attachment.html>

More information about the Catalog-SIG mailing list