[Python-ideas] Using sha512 instead of md5 on python.org/downloads
Antoine Pitrou
solipsis at pitrou.net
Mon Dec 10 05:26:15 EST 2018
On Mon, 10 Dec 2018 07:31:44 +0100
Ronald Oussoren via Python-ideas
<python-ideas at python.org> wrote:
>
> That’s true, but it does show that switching from MD5 to SHA2 doesn’t make it harder to validate the checksum on major platforms.
>
> I don’t have a strong opinion either way, I’m slightly in favour of switching to the same algorithm as used on PyPI to be consistent within these PSF properties.
>
> BTW. I wonder how many actually verify these checksums, I personally generally assume that HTTPS downloads are reliable enough and don’t verify checksums unless I do the download in an automation pipeline.
Ah, the automation use case is a good point in favor of stronger hashes.
You may have checked the initial download hash and then use it in a
script to make sure later downloads haven't been tempered with.
Regards
Antoine.
More information about the Python-ideas
mailing list