[Python-Dev] Hashes on same site as download?

[Barry Warsaw]

On Oct 21, 2013, at 06:21 PM, Dan Stromberg wrote:

>I may be missing something, but it seems the Python tarballs and hashes are
>on the same host, and this is not an entirely good thing for security.

All the tarballs are signed with the GPG keys of the release managers.  The
hashes are just a quick verification that your download succeeded.  For extra
confidence, check the signatures.  Our keys should be independently
verifiable.

-Barry