[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]
Stefan Krah
stefan at bytereef.org
Thu May 8 18:03:25 CEST 2014
Donald Stufft <donald at stufft.io> wrote:
> I said ?meaningful?. Almost nobody is going to ever bother googling it and
> the likelihood that someone is able to MITM *you* specifically is far lesser
> than the likelihood that someone is going to MITM one of the cdecimal users.
I'm doing this for important installs. -- That is how I installed qmail
and djbdns.
> Additionally your messages aren?t signed and email isn?t an authenticated
> profile so if someone was able to get your password they could simply spoof
> and email from you to the mailing list with new hashes, or edit out the description
> telling people to go google some stuff.
Signing messages is pointless if the key isn't well connected. Also, I'm
reading the lists and would notice a "release". Most importantly, the
checksum mismatch would still be found, since the old messages with the
correct sum would still exist under the scenario we're talking about
(i.e. not GHCQ hacking into Belgacom routers).
Stefan Krah
More information about the Python-Dev
mailing list