On Nov 19, 2012, at 6:08 PM, mar...@v.loewis.de wrote: > > Zitat von Daniel Holth <dho...@gmail.com>: > >> I can't create two colliding uploads, uploading the first (harmless version) >> to pypi and then tricking someone into mirroring the second (harmful) >> version? The system is not designed to protect the uploaded contents at all? > > It *is* designed to protect the uploaded contents, but not against the > uploader. Instead, it protects against some mirror operator replacing > a mirrored file, or some attacker taking over a mirror. > > If you assume that the package author is malicious, adding SHA hashes > would not help at all. The package author can just upload a new version, > and get it mirrored to all copies (including the master), and nothing > in the mirroring protocol prevents that new version from containing > a trojan horse. All hashes would be intact and fine, and the mirror > be consistent with the master. > >> So why not start using sha256? > > It's not that simple. Backwards compatibility needs to be considered. > Feel free to write specifications and patches. > > And please stop making FUD claims. > > Regards, > Martin
Ok. We aren't protecting against the uploader. My real complaint is only that md5 hasn't been a recommended primitive since 1998. I will see about that patch. Pip at least understands #sha256=... _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
