Message 351979 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	christian.heimes, lkollar, lukasz.langa, mattip, ned.deily
Date	2019-09-11.16:49:27
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1568220567.52.0.655316245532.issue37967@roundup.psfhosted.org>
In-reply-to

Content
If you use pubkeys.txt from https://www.python.org/static/files/pubkeys.txt, then GPG verification gives you no additional security. An attack with write access to www.python.org or access to the private key of www.python.org can easily replace the pubkeys.txt with a key file under his control. You only get additional security if you retrieve the key from a different location and verify that the key owned by Łukasz.

If you use pubkeys.txt from https://www.python.org/static/files/pubkeys.txt, then GPG verification gives you no additional security. An attack with write access to www.python.org or access to the private key of www.python.org can easily replace the pubkeys.txt with a key file under his control. You only get additional security if you retrieve the key from a different location *and* verify that the key owned by Łukasz.

History
Date	User	Action	Args
2019-09-11 16:49:27	christian.heimes	set	recipients: + christian.heimes, ned.deily, lukasz.langa, mattip, lkollar
2019-09-11 16:49:27	christian.heimes	set	messageid: <1568220567.52.0.655316245532.issue37967@roundup.psfhosted.org>
2019-09-11 16:49:27	christian.heimes	link	issue37967 messages
2019-09-11 16:49:27	christian.heimes	create