You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
https://www.python.org/downloads/ uses 32-bit OpenPGP key IDs.
This bad, because 32 bits is so short, it's computationally trivial to generate a new key with chosen ID.
In fact if you run the suggested command:
This is something needs to be discussed with the current release managers. There is not much we can do here as www.python.org maintainers. Could you please send an email to python-dev about this? Thanks!
I have updated the website to display the 64-bit form of people's keys and, in most cases, link to their keybase.io entry which contains the full fingerprint.
https://www.python.org/downloads/ uses 32-bit OpenPGP key IDs.
This bad, because 32 bits is so short, it's computationally trivial to generate a new key with chosen ID.
In fact if you run the suggested command:
you will get not only keys of release managers, but also two sham keys.
Please use 64-bit key IDs or, preferably, full key fingerprints.
The text was updated successfully, but these errors were encountered: