On May 8, 2014, at 11:34 AM, Stefan Krah <ste...@bytereef.org> wrote:
> Donald Stufft <don...@stufft.io> wrote: >>> Today I've switched to manual install mode with manual sha256sum >>> verification >>> which is *far* safer than anything you get via pip right now. >> >> It is not safer in any meaingful way. >> >> If someone is in a position to compromise the integrity of PyPI's TLS, they >> can replace the hash on that page with something else. Now you've attempted >> to >> work around this by telling people to go look up the release announcement >> hash. However if someone can compromise the integrity of PyPI's TLS, they can >> also compromise the integrity of https://mail.python.org/, or GMane, or any >> other TLS based website[1]. > > Of course it is safer. Suppose a file is stored on PyPI: > > 1) Attacker guesses my username (or is it even visible, I'm not sure). > > 2) Clicks on "lost login". > > 3) Intercepts mail (difficult, but far from the TLS attack category). > Maybe on a home or university network. Or a rogue person at a > mail provider. > > 4) Changes the uploaded file together with the hash. > > > pip would be perfectly happy, checking the hash via Google would turn > up a mismatch. I said “meaningful”. Almost nobody is going to ever bother googling it and the likelihood that someone is able to MITM *you* specifically is far lesser than the likelihood that someone is going to MITM one of the cdecimal users. Additionally your messages aren’t signed and email isn’t an authenticated profile so if someone was able to get your password they could simply spoof and email from you to the mailing list with new hashes, or edit out the description telling people to go google some stuff. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
