On Fri, Mar 23, 2018, at 6:56 AM, alex.gronh...@nextday.fi wrote: > If someone wanted to make a malicious file, what's preventing them > from modifying the RECORD to match the modified file when there is no > cryptographic signing involved? Right: you need a way to verify RECORD on top of that. Like the signatures, or way to distribute hashes of RECORD files separately. The hashes in RECORD are a foundation for building security systems, not a security system in themselves. Thomas
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
