[Distutils] Proposal: drop md5 for sha256
Tarek Ziadé
tarek at ziade.org
Tue Jul 3 09:52:41 CEST 2012
On 7/3/12 9:48 AM, Donald Stufft wrote:
> On Tuesday, July 3, 2012 at 3:45 AM, Tarek Ziadé wrote:
>>
>> Hash in the RECORD file have nothing to do with making sure the package
>> is originated from developer X.
>> Its only purpose is to know if a file on the system was changed
>>
> Using sha256 would enable preventing someone from maliciously changing the
> file.
If someone has access to that file, it means that he can also change the
RECORD file
so you have no way of trusting RECORD either.
> Similar to how IDS systems capture hashes of binaries to compare against.
> Of course someone using the system like this would need to protect the
> filesystem
> storing the RECORD files accordingly.
I think that's the main issue - where are you going to put the RECORD file ?
>
> I also think that switching to sha256 is pretty low cost with minimal
> (no?) downsides
> with some possible upsides. Is there a reason to stay with md5?
The file is two times smaller and faster to create, and md5 does its job
at providing
a hash for a file. I still fail to see a use case for stronger hashes
Cheers
Tarek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20120703/c1f689fc/attachment-0001.html>
More information about the Distutils-SIG
mailing list