Christian Heimes <li...@cheimes.de> added the comment: If you use pubkeys.txt from https://www.python.org/static/files/pubkeys.txt, then GPG verification gives you no additional security. An attack with write access to www.python.org or access to the private key of www.python.org can easily replace the pubkeys.txt with a key file under his control. You only get additional security if you retrieve the key from a different location *and* verify that the key owned by Łukasz.
---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue37967> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
