Am 16.06.2010 00:37, schrieb Fred Drake:
On Tue, Jun 15, 2010 at 6:24 PM, Steven D'Aprano<[email protected]> wrote:
A digital signature is not an MD5 checksum, it may have actual legal
meaning in many countries equivalent to a pen and paper signature.
I would expect that verifying a package was signed by PyPI to mean no more than
that the bits match what's available from PyPI for the same name. (Not sure if
that's what's in the PEP, but that's what I'd be looking for.)
It's indeed exactly that.
We'd have to disclaim anything more than that. But it would be useful to verify
that a package from a mirror was accurately mirrored.
There are actually two layers here: one is to verify that the
transmission was not faulty; for this, the md5sum that is already in the
simple pages should be enough (and *please* don't tell me that md5 is
broken).
Of course, an adversary could then try to modify the simple pages,
that's what the actual signatures are for.
Regards,
Martin
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
