On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <solip...@pitrou.net> wrote:
> md5 is only used for a quick integrity check here (think of it as a > sophisticated checksum). For security you need to verify the > corresponding GPG signature. > More to the point: you're getting the hash from the same place as the binary. If one is vulnerable to modifications by attackers, both are. So it doesn't matter. The real defense most people are relying on is TLS. -- Devin
_______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
