You are right, I skipped over that this was actually a server-side exploit - sure, end-to-end signing will help here. On 30/01/13 19:47, Edward Z. Yang wrote: >> As long as we upload packages via plain HTTP, signing won't help though.