On Wed, Feb 1, 2012 at 10:36 AM, Chris Withers <ch...@simplistix.co.uk>wrote:
> On 01/02/2012 07:12, Yuval Greenfield wrote: > >> +1 on removing this security loophole in any of the ways suggested here. >> > > Good grief, it's not a "security loophole". > > If you actually cared about security, you'd already be using, recording > and checking the MD5 checksums provided with each download and would > already know that this isn't a security loophole. > > If you're not, then quit with the security theater. > > cheers, > > Would you testify that HTTP is secure because I can emulate TLS in javascript? PyPI should do what it can within reason to be consistent and safe for all its users. We're talking about a standard best practice for sites with user generated content. The original API was aware of this best practice and a loophole was eventually introduced. Please do read the OP. "Cheers", Yuval
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
