2010/1/21 "Martin v. Löwis" <[email protected]>: >> The only verification done is the md5 hash on the file, which can be >> changed on the mirror (nothing prevents the mirror to compute its own >> MD5 fragments in the download URLs) > > That's not true. Changing the MD-5 would require to change the simple > page, and that in turn would break the server signature to that page. > > In case you are unaware of the server signature, please have a look at > > http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html >
I forgot about that one, thanks for the memories > I'd appreciate if that would be added to the PEP. > Yes definitely, I'll do that Regards Tarek -- Tarek Ziadé | http://ziade.org _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
