[Distutils] Removing wheel signing features from the wheel library
alex.gronholm at nextday.fi
alex.gronholm at nextday.fi
Fri Mar 23 02:56:08 EDT 2018
to, 2018-03-22 kello 21:56 +0000, Thomas Kluyver kirjoitti:
> On Thu, Mar 22, 2018, at 9:25 PM, alex.gronholm at nextday.fi wrote:
>
> > I've been wondering about something – zip files already contain CRC
> > based checksums for each the stored file. What benefit is there in
> > storing a RECORD file which basically duplicates this
> > functionality?
> >
>
> In terms of providing a foundation for security checks, I think CRC
> checksums are insufficient - they are meant to detect random data
> corruption, not a deliberate effort to make a malicious file.
If someone wanted to make a malicious file, what's preventing them from
modifying the RECORD to match the modified file when there is no
cryptographic signing involved?
>
> You could simply use a cryptographic hash of the entire wheel zip
> file. I guess the advantage of storing file hashes in RECORD is that
> they can be checked against the installed code, not just the wheel
> package.
>
>
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180323/edf3ffac/attachment.html>
More information about the Distutils-SIG
mailing list