On Tuesday, February 12, 2019, Jeremy Stanley <fu...@yuggoth.org> wrote:
> On 2019-02-12 18:42:29 -0500 (-0500), Wes Turner wrote: > [...] > > All it has to be is an archive containing a setup.py. > > > > "MD5 considered harmful today: > > Creating a rogue CA certificate" (2008) > > https://www.win.tue.nl/hashclash/rogue-ca/ > > You keep trotting out PKI examples as if they have anything > whatsoever to do with checksumming, but I'm quickly getting the > distinct impression you don't actually know the difference so I'll > stop now as we've gone well off-topic for this list. > -- > Jeremy Stanley > you hash the file. the hash is compared against a list. if the hash matches, it's considered valid. In 2008, they were able to generate a file that has the same MD5 hash as one in a list of considered-good hashes, which is also a valid x.509 cert. How is that at all different from generating an archive with a setup.py that has the same hash as something listed on PyPI? Trotting ... "Westminster Dad Show" https://youtu.be/2S2gQjTURvU ... Now you've suggested that I'm FUD'ing: is there a difference between finding an x.509 cert hash and a .tgz/.zip with a setup.py or setup.pyc hash? Maybe there's something fundamental that I've misunderstood? (So sorry to interrupt)
-- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/XDKGVO4PIDC6LCKJY3TFDNG275W7PBLD/