[Python-Dev] Hashes on same site as download?
Barry Warsaw
barry at python.org
Tue Oct 22 03:45:58 CEST 2013
More information about the Python-Dev mailing list
Tue Oct 22 03:45:58 CEST 2013
- Previous message: [Python-Dev] Hashes on same site as download?
- Next message: [Python-Dev] Hashes on same site as download?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Oct 21, 2013, at 06:21 PM, Dan Stromberg wrote: >I may be missing something, but it seems the Python tarballs and hashes are >on the same host, and this is not an entirely good thing for security. All the tarballs are signed with the GPG keys of the release managers. The hashes are just a quick verification that your download succeeded. For extra confidence, check the signatures. Our keys should be independently verifiable. -Barry
- Previous message: [Python-Dev] Hashes on same site as download?
- Next message: [Python-Dev] Hashes on same site as download?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list