On Fri, Dec 7, 2018 at 10:48 AM Antoine Pitrou <solip...@pitrou.net> wrote:
> If the site is vulnerable to modifications, then TLS doesn't help. > Again: you must verify the GPG signatures (since they are produced by > the release manager's private key, which is *not* stored on the > python.org Web site). > This is missing the point. They were asking why not to use SHA512. The answer is that the hash does not provide any extra security. GPG is separate: even if there was no GPG signature, SHA512 would still not provide any extra security. That's why I said "more to the point". :P Nobody "must" verify the GPG signatures. TLS doesn't protect against everything, but neither does GPG. A naive user might just download a public GPG key from a compromised python.org and use it to verify the compromised release, see everything is "OK", and still be hosed. -- Devin
_______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
