[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]
Donald Stufft
donald at stufft.io
Thu May 8 18:22:16 CEST 2014
On May 8, 2014, at 12:03 PM, Stefan Krah <stefan at bytereef.org> wrote:
> Donald Stufft <donald at stufft.io> wrote:
>> I said ?meaningful?. Almost nobody is going to ever bother googling it and
>> the likelihood that someone is able to MITM *you* specifically is far lesser
>> than the likelihood that someone is going to MITM one of the cdecimal users.
>
> I'm doing this for important installs. -- That is how I installed qmail
> and djbdns.
>
>
>> Additionally your messages aren?t signed and email isn?t an authenticated
>> profile so if someone was able to get your password they could simply spoof
>> and email from you to the mailing list with new hashes, or edit out the description
>> telling people to go google some stuff.
>
> Signing messages is pointless if the key isn't well connected. Also, I'm
> reading the lists and would notice a "release". Most importantly, the
> checksum mismatch would still be found, since the old messages with the
> correct sum would still exist under the scenario we're talking about
> (i.e. not GHCQ hacking into Belgacom routers).
>
>
I’m unsure if you’re being willfully dense or if you’re just not understanding
what I mean when I say “almost”. Of course there are going to be a few outliers
where people do bother to do that, but it’s not going to be common place at
all.
But whatever, I’ve removed the warning that occurs when you install an
externally hosted file [1] and it will be included in pip 1.6. I have not
changed the defaults for --allow-all-external nor have I removed the warning
that occurs when someone elects to install an unverifiable download.
[1] https://github.com/pypa/pip/commit/9f56b79e8d
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140508/f14cba3b/attachment.sig>
More information about the Python-Dev
mailing list