On Mon, Oct 21, 2013 at 6:47 PM, Tim Delaney <timothy.c.dela...@gmail.com>wrote:
> On 22 October 2013 12:21, Dan Stromberg <drsali...@gmail.com> wrote: > >> >> I may be missing something, but it seems the Python tarballs and hashes >> are on the same host, and this is not an entirely good thing for security. >> > I was missing the gpg signing. That's probably more effective than md5 anyway - at least, I hope we're not using gpg with md5 :) Looking at the download pages in rapid-skim-mode, I saw the hashes and ignored the text describing the use of gpg. FWIW, I'm guessing a lot of people do that. The way things are now, an attacker breaks into one host, doctors up a >> tarball, changes the hashes in the same host, and people download without >> noticing, even if they verify hashes. >> >> If you put the hashes on a different host from the tarballs, the attacker >> has to break into two machines. In this scenario, the hashes add more >> strength. >> > > I'm not a security expert, but I can't see how that gives any more > security than the current system (I tried to find whatever article you're > talking about, but failed). It doesn't matter if you provide downloads in > one place and direct people to get the hashes from elsewhere. An attacker > has no need to compromise the server where the hashes are stored - they > only need to compromise the server that tells you where to get the > downloads and hashes. > I don't see the original article anymore, but I believe it was in a Crypto-gram newsletter several years ago. The closest thing I found tonight was: http://en.wikipedia.org/wiki/MD5#Applications
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com