Zitat von Daniel Holth <[email protected]>:
I can't create two colliding uploads, uploading the first (harmless version) to pypi and then tricking someone into mirroring the second (harmful) version? The system is not designed to protect the uploaded contents at all?
It *is* designed to protect the uploaded contents, but not against the uploader. Instead, it protects against some mirror operator replacing a mirrored file, or some attacker taking over a mirror. If you assume that the package author is malicious, adding SHA hashes would not help at all. The package author can just upload a new version, and get it mirrored to all copies (including the master), and nothing in the mirroring protocol prevents that new version from containing a trojan horse. All hashes would be intact and fine, and the mirror be consistent with the master.
So why not start using sha256?
It's not that simple. Backwards compatibility needs to be considered. Feel free to write specifications and patches. And please stop making FUD claims. Regards, Martin _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
