Paul Moore <p.f.mo...@gmail.com> wrote: > > Not quite the sequence of events. -- I left the existing explicit link > > for some time after the first posts to python-dev. Then serious security > > issues were marginalized ("not a meaningful scenario"). I find this a > > little surprising, since PEP 458 is precisely there to address them. > > > > The user base that cdecimal targets (banks, stock exchanges, scientists) > > are able to verify checksums -- in fact in some places it might be a > > firing offense not to do so. > > Personally, I don't recall ever seeing anything about a serious > security issue.
Well, basically a couple of things that PEP 458 tries to address. Currently manual verification of release time checksums is a good bet. Anyway, people who *can* verify checksums can also use pip with judgement, so I've re-enabled the explicit link. I would be a bit more comfortable with sha256 instead of md5, but I may have missed an option. Stefan Krah _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig