Donald Stufft <don...@stufft.io> wrote:
> > Today I've switched to manual install mode with manual sha256sum
> > verification
> > which is *far* safer than anything you get via pip right now.
>
> It is not safer in any meaingful way.
>
> If someone is in a position to compromise the integrity of PyPI's TLS, they
> can replace the hash on that page with something else. Now you've attempted to
> work around this by telling people to go look up the release announcement
> hash. However if someone can compromise the integrity of PyPI's TLS, they can
> also compromise the integrity of https://mail.python.org/, or GMane, or any
> other TLS based website[1].
Of course it is safer. Suppose a file is stored on PyPI:
1) Attacker guesses my username (or is it even visible, I'm not sure).
2) Clicks on "lost login".
3) Intercepts mail (difficult, but far from the TLS attack category).
Maybe on a home or university network. Or a rogue person at a
mail provider.
4) Changes the uploaded file together with the hash.
pip would be perfectly happy, checking the hash via Google would turn
up a mismatch.
Stefan Krah
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
