Paul Moore <p.f.mo...@gmail.com> wrote:
> > Not quite the sequence of events. -- I left the existing explicit link
> > for some time after the first posts to python-dev. Then serious security
> > issues were marginalized ("not a meaningful scenario"). I find this a
> > little surprising, since PEP 458 is precisely there to address them.
> >
> > The user base that cdecimal targets (banks, stock exchanges, scientists)
> > are able to verify checksums -- in fact in some places it might be a
> > firing offense not to do so.
>
> Personally, I don't recall ever seeing anything about a serious
> security issue.
Well, basically a couple of things that PEP 458 tries to address. Currently
manual verification of release time checksums is a good bet.
Anyway, people who *can* verify checksums can also use pip with judgement,
so I've re-enabled the explicit link.
I would be a bit more comfortable with sha256 instead of md5, but I may have
missed an option.
Stefan Krah
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
