[Python-ideas] Using sha512 instead of md5 on python.org/downloads
Nick Timkovich
prometheus235 at gmail.com
Fri Dec 7 10:56:22 EST 2018
Devils advocate: it might complicate things for someone that needs to use
FIPS, where MD5 can be a pain to deal with.
On Fri, Dec 7, 2018 at 8:50 AM Devin Jeanpierre <jeanpierreda at gmail.com>
wrote:
> On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <solipsis at pitrou.net> wrote:
>
>> md5 is only used for a quick integrity check here (think of it as a
>> sophisticated checksum). For security you need to verify the
>> corresponding GPG signature.
>>
>
> More to the point: you're getting the hash from the same place as the
> binary. If one is vulnerable to modifications by attackers, both are. So it
> doesn't matter. The real defense most people are relying on is TLS.
>
> -- Devin
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20181207/8fa5efeb/attachment-0001.html>
More information about the Python-ideas
mailing list