On May 13, 2014, at 7:58 AM, Stefan Krah <stefan-use...@bytereef.org> wrote:
> Paul Moore <p.f.mo...@gmail.com> wrote:
>>> Not quite the sequence of events. -- I left the existing explicit link
>>> for some time after the first posts to python-dev. Then serious security
>>> issues were marginalized ("not a meaningful scenario"). I find this a
>>> little surprising, since PEP 458 is precisely there to address them.
>>>
>>> The user base that cdecimal targets (banks, stock exchanges, scientists)
>>> are able to verify checksums -- in fact in some places it might be a
>>> firing offense not to do so.
>>
>> Personally, I don't recall ever seeing anything about a serious
>> security issue.
>
> Well, basically a couple of things that PEP 458 tries to address. Currently
> manual verification of release time checksums is a good bet.
>
> Anyway, people who *can* verify checksums can also use pip with judgement,
> so I've re-enabled the explicit link.
>
>
> I would be a bit more comfortable with sha256 instead of md5, but I may have
> missed an option.
Currently PyPI does not support anything but md5.
So pip itself supports sha256 and has since before it supported TLS
verification and
setuptools supports sha256 since 0.9 however it started supporting TLS
verification
in 0.7.
I’ve suggested that PyPI switch to something in the sha-2 family a few times
going
back years and have not yet been successful at convincing folks.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
