On Fri, 7 Dec 2018 06:49:59 -0800 Devin Jeanpierre <jeanpierr...@gmail.com> wrote: > On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <solip...@pitrou.net> wrote: > > > md5 is only used for a quick integrity check here (think of it as a > > sophisticated checksum). For security you need to verify the > > corresponding GPG signature. > > > > More to the point: you're getting the hash from the same place as the > binary. If one is vulnerable to modifications by attackers, both are. So it > doesn't matter. The real defense most people are relying on is TLS.
If the site is vulnerable to modifications, then TLS doesn't help. Again: you must verify the GPG signatures (since they are produced by the release manager's private key, which is *not* stored on the python.org Web site). Regards Antoine. _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
