[Distutils] a plea for backward-compatibility / smooth transitions
Donald Stufft
donald at stufft.io
Mon Jul 29 22:33:11 CEST 2013
On Jul 29, 2013, at 3:14 PM, Donald Stufft <donald at stufft.io> wrote:
>
> On Jul 29, 2013, at 2:57 PM, zooko <zooko at zooko.com> wrote:
>
>> I'd like to push back on the other risk, that someone might figure out how to
>> make MD5 second-pre-images. I don't think this is a risk that we need to
>> urgently address, and I've written a short note explaining why. This note is
>> incomplete, badly edited, has not been peer-reviewed, and is not ready for
>> publication, but I thought it might help folks evaluate how urgent it is to
>> upgrade from MD5, so here it is.
>
> I don't think it's urgent to fix it, but I think it's a good security hardening effort
> with very little downside and very little chance of regression. However, as I
> said if Holger, or anyone else, has a concern about the affects of adding this
> bit of security hardening to give us a safety net again then I simply won't do
> it in the simple API.
>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
Somewhat relevant to the question at hand: http://valerieaurora.org/hash.html
(Yes it lists sha-2 as weakened, which it is. However sha-3 isn't widespread enough for us :( )
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130729/6a0b3a54/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130729/6a0b3a54/attachment-0001.pgp>
More information about the Distutils-SIG
mailing list