[Python-Dev] Hashes on same site as download?
Dan Stromberg
drsalists at gmail.com
Tue Oct 22 05:25:38 CEST 2013
On Mon, Oct 21, 2013 at 6:47 PM, Tim Delaney <timothy.c.delaney at gmail.com>wrote:
> On 22 October 2013 12:21, Dan Stromberg <drsalists at gmail.com> wrote:
>
>>
>> I may be missing something, but it seems the Python tarballs and hashes
>> are on the same host, and this is not an entirely good thing for security.
>>
> I was missing the gpg signing. That's probably more effective than md5
anyway - at least, I hope we're not using gpg with md5 :)
Looking at the download pages in rapid-skim-mode, I saw the hashes and
ignored the text describing the use of gpg. FWIW, I'm guessing a lot of
people do that.
The way things are now, an attacker breaks into one host, doctors up a
>> tarball, changes the hashes in the same host, and people download without
>> noticing, even if they verify hashes.
>>
>> If you put the hashes on a different host from the tarballs, the attacker
>> has to break into two machines. In this scenario, the hashes add more
>> strength.
>>
>
> I'm not a security expert, but I can't see how that gives any more
> security than the current system (I tried to find whatever article you're
> talking about, but failed). It doesn't matter if you provide downloads in
> one place and direct people to get the hashes from elsewhere. An attacker
> has no need to compromise the server where the hashes are stored - they
> only need to compromise the server that tells you where to get the
> downloads and hashes.
>
I don't see the original article anymore, but I believe it was in a
Crypto-gram newsletter several years ago.
The closest thing I found tonight was:
http://en.wikipedia.org/wiki/MD5#Applications
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20131021/8524deae/attachment-0001.html>
More information about the Python-Dev
mailing list