I may be missing something, but it seems the Python tarballs and hashes are
on the same host, and this is not an entirely good thing for security.
The way things are now, an attacker breaks into one host, doctors up a
tarball, changes the hashes in the same host, and people download without
On Oct 21, 2013, at 06:21 PM, Dan Stromberg wrote:
I may be missing something, but it seems the Python tarballs and hashes are
on the same host, and this is not an entirely good thing for security.
All the tarballs are signed with the GPG keys of the release managers. The
hashes are just a
On 22 October 2013 12:21, Dan Stromberg drsali...@gmail.com wrote:
I may be missing something, but it seems the Python tarballs and hashes
are on the same host, and this is not an entirely good thing for security.
The way things are now, an attacker breaks into one host, doctors up a
On Mon, Oct 21, 2013 at 6:47 PM, Tim Delaney timothy.c.dela...@gmail.comwrote:
On 22 October 2013 12:21, Dan Stromberg drsali...@gmail.com wrote:
I may be missing something, but it seems the Python tarballs and hashes
are on the same host, and this is not an entirely good thing for security.