On Nov 19, 2012, at 5:40 PM, mar...@v.loewis.de wrote:
>
> Zitat von Daniel Holth <dho...@gmail.com>:
>
>> Unfortunately the whole signed mirror system falls down because it relies
>> on md5 hashes (http://www.kb.cert.org/vuls/id/836068) although the signing
>> key seems to be long enough.
>
> You are misinterpreting the vulnerability. It does not apply to the
> way in which md5 is used in PyPI.
>
> So in no way the system "falls down".
>
> Regards,
> Martin
I can't create two colliding uploads, uploading the first (harmless version) to
pypi and then tricking someone into mirroring the second (harmful) version? The
system is not designed to protect the uploaded contents at all?
Perhaps it doesn't fall down for some reason, but the cert recommendation is:
Do not use the MD5 algorithm
Software developers, Certification Authorities, website owners, and users
should avoid using the MD5 algorithm in any capacity. As previous research has
demonstrated, it should be considered cryptographically broken and unsuitable
for further use.
So why not start using sha256? The site would appear more modern, and at the
very least people like me would stop complaining about it.
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
