Dne 07. 12. 18 v 15:49 Devin Jeanpierre napsal(a):
On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <solip...@pitrou.net
<mailto:solip...@pitrou.net>> wrote:
md5 is only used for a quick integrity check here (think of it as a
sophisticated checksum). For security you need to verify the
corresponding GPG signature.
More to the point: you're getting the hash from the same place as the
binary. If one is vulnerable to modifications by attackers, both are. So
it doesn't matter. The real defense most people are relying on is TLS.
Yes I really on TLS, no I'm not getting the archive necessarily from
python.org. I might get it from a 3rd parrty that claims it's genuine.
Such party might be a Linux distro or another package manager (e.g.
homebrew).
I can of course use GPG to verify it, but for quick check a sha512 sum
works for me, while md5 not so much.
In Fedora, we use sha512 checksums [1]. In homebrew they use sha256 [2].
[1] https://src.fedoraproject.org/rpms/python3/blob/master/f/sources
[2] https://github.com/Homebrew/homebrew-core/blob/master/Formula/python.rb
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
Python-ideas mailing list
Python-ideas@python.org
https://mail.python.org/mailman/listinfo/python-ideas
Code of Conduct: http://python.org/psf/codeofconduct/
