32-bit OpenPGP key IDs on download page #978
Assignees
Labels
Comments
|
This is something needs to be discussed with the current release managers. There is not much we can do here as www.python.org maintainers. Could you please send an email to python-dev about this? Thanks! |
|
@jwilk, thanks for the report. @berkerpeksag, I'll take care of this one. |
|
I have updated the website to display the 64-bit form of people's keys and, in most cases, link to their keybase.io entry which contains the full fingerprint. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://www.python.org/downloads/ uses 32-bit OpenPGP key IDs.
This bad, because 32 bits is so short, it's computationally trivial to generate a new key with chosen ID.
In fact if you run the suggested command:
you will get not only keys of release managers, but also two sham keys.
Please use 64-bit key IDs or, preferably, full key fingerprints.
The text was updated successfully, but these errors were encountered: