[Python-ideas] Using sha512 instead of md5 on python.org/downloads
Devin Jeanpierre
jeanpierreda at gmail.com
Fri Dec 7 14:54:59 EST 2018
On Fri, Dec 7, 2018 at 10:48 AM Antoine Pitrou <solipsis at pitrou.net> wrote:
> If the site is vulnerable to modifications, then TLS doesn't help.
> Again: you must verify the GPG signatures (since they are produced by
> the release manager's private key, which is *not* stored on the
> python.org Web site).
>
This is missing the point. They were asking why not to use SHA512. The
answer is that the hash does not provide any extra security. GPG is
separate: even if there was no GPG signature, SHA512 would still not
provide any extra security. That's why I said "more to the point". :P
Nobody "must" verify the GPG signatures. TLS doesn't protect against
everything, but neither does GPG. A naive user might just download a public
GPG key from a compromised python.org and use it to verify the compromised
release, see everything is "OK", and still be hosed.
-- Devin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20181207/be32d476/attachment.html>
More information about the Python-ideas
mailing list