On Oct 21, 2013, at 06:21 PM, Dan Stromberg wrote: >I may be missing something, but it seems the Python tarballs and hashes are >on the same host, and this is not an entirely good thing for security.
All the tarballs are signed with the GPG keys of the release managers. The hashes are just a quick verification that your download succeeded. For extra confidence, check the signatures. Our keys should be independently verifiable. -Barry _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com