[Python-Dev] Hashes on same site as download? (original) (raw)
Barry Warsaw barry at python.org
Tue Oct 22 03:45:58 CEST 2013
- Previous message: [Python-Dev] Hashes on same site as download?
- Next message: [Python-Dev] Hashes on same site as download?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Oct 21, 2013, at 06:21 PM, Dan Stromberg wrote:
I may be missing something, but it seems the Python tarballs and hashes are on the same host, and this is not an entirely good thing for security.
All the tarballs are signed with the GPG keys of the release managers. The hashes are just a quick verification that your download succeeded. For extra confidence, check the signatures. Our keys should be independently verifiable.
-Barry
- Previous message: [Python-Dev] Hashes on same site as download?
- Next message: [Python-Dev] Hashes on same site as download?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]