Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel <holger.kre...@gmail.com> ha scritto:
> In the end, however, none of this prevents MITM attacks between a downloader > and pypi.python.org. Or between the uploader and pypi.python.org (using > basic auth over http often). Signing methods like > https://wiki.archlinux.org/index.php/Pacman-key are key. If a signature is > available (also at a download_url site), then we can exclude undetected > tampering. And there might not be a need to break currently working package > releases. A signature is not enough; if you don't have a secure channel, signatures can be replayed. Eg: if you install through an unsecure channel and you just verify GPG signatures on the package, I can MITM you and serve you an older, vulnerable package version (with its correct signature), and then go exploit that vulnerability. -- Giovanni Bajo :: ra...@develer.com Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
