[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]
Stefan Krah
stefan at bytereef.org
Thu May 8 17:34:54 CEST 2014
More information about the Python-Dev mailing list
Thu May 8 17:34:54 CEST 2014
- Previous message: [Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]
- Next message: [Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Donald Stufft <donald at stufft.io> wrote: > > Today I've switched to manual install mode with manual sha256sum verification > > which is *far* safer than anything you get via pip right now. > > It is not safer in any meaingful way. > > If someone is in a position to compromise the integrity of PyPI's TLS, they > can replace the hash on that page with something else. Now you've attempted to > work around this by telling people to go look up the release announcement > hash. However if someone can compromise the integrity of PyPI's TLS, they can > also compromise the integrity of https://mail.python.org/, or GMane, or any > other TLS based website[1]. Of course it is safer. Suppose a file is stored on PyPI: 1) Attacker guesses my username (or is it even visible, I'm not sure). 2) Clicks on "lost login". 3) Intercepts mail (difficult, but far from the TLS attack category). Maybe on a home or university network. Or a rogue person at a mail provider. 4) Changes the uploaded file together with the hash. pip would be perfectly happy, checking the hash via Google would turn up a mismatch. Stefan Krah
- Previous message: [Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]
- Next message: [Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list