[Distutils] Proposal: drop md5 for sha256

Daniel Holth dholth at gmail.com
Tue Jul 3 13:14:43 CEST 2012


It's embarrassing to see md5 used for any reason. You go to pypi, and
every download link has an md5 sum of the package, and you think "what
is this archaic system that gives me a useless hash, implicated in
such fine situations as the Flame malware and ever-improving attacks
against md5?" It is irrelevant that it is "probably good enough for
this limited use". You might as well use CRC32; it is much shorter.

By re-using RECORD to include a secure hash of every file in an
archive, you can sign all the files in the archive by signing RECORD,
similar to how jars are signed.  The digital signature is right there
inside the archive, and if you decide you would rather have a .tar.xz
instead of a .zip the signature is still valid.


More information about the Distutils-SIG mailing list