> The only verification done is the md5 hash on the file, which can be > changed on the mirror (nothing prevents the mirror to compute its own > MD5 fragments in the download URLs)
That's not true. Changing the MD-5 would require to change the simple page, and that in turn would break the server signature to that page. In case you are unaware of the server signature, please have a look at http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html I'd appreciate if that would be added to the PEP. Regards, Martin _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
