[Numpy-discussion] Verify your sourceforge windows installer downloads

Julian Taylor jtaylor.debian at googlemail.com
Thu May 28 14:52:01 EDT 2015

On 28.05.2015 19:46, Pauli Virtanen wrote:
> 28.05.2015, 20:35, Sturla Molden kirjoitti:
>> Pauli Virtanen <pav at iki.fi> wrote:
>>> Is it possible to host them on github? I think there's an option to add
>>> release notes and (apparently) to upload binaries if you go to the
>>> "Releases" section --- there's one for each tag.
>> And then Sourceforge will put up tainted installers "for the benefit of
>> NumPy users". :)
> Well, let them. They may already be tainted, who knows. It's phishing
> and malware distribution at that point, and there are some ways to deal
> with that (safe browsing, AV etc).

there is no guarantee that github will not do this stuff in future too,
also PyPI or self hosting do not necessarily help as those resources can
be compromised.
The main thing that should be learned this and the many similar
incidents in the past is that binaries from the internet need to be
verified of they have been modified from their original state otherwise
they cannot be trusted.

With my mail I wanted to bring to attention that both numpy (since
1.7.2) and scipy (since 0.14.1) allow users to do so via the signed
README.txt containing checksums.

More information about the NumPy-Discussion mailing list