[Python-Dev] Hashes on same site as download? (original) (raw)
Dan Stromberg drsalists at gmail.com
Tue Oct 22 03:21:30 CEST 2013
- Previous message: [Python-Dev] Python 2.6.9 final final due out 28 October 2013
- Next message: [Python-Dev] Hashes on same site as download?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I may be missing something, but it seems the Python tarballs and hashes are on the same host, and this is not an entirely good thing for security.
The way things are now, an attacker breaks into one host, doctors up a tarball, changes the hashes in the same host, and people download without noticing, even if they verify hashes.
If you put the hashes on a different host from the tarballs, the attacker has to break into two machines. In this scenario, the hashes add more strength.
ISTR I first learned of this issue from an article by Bruce Schneier, though I don't think it was in the context of Python. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20131021/df01f5b6/attachment.html>
- Previous message: [Python-Dev] Python 2.6.9 final final due out 28 October 2013
- Next message: [Python-Dev] Hashes on same site as download?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]