[Distutils] Proposal: drop md5 for sha256
Éric Araujo
merwok at netwok.org
Tue Jul 3 17:10:41 CEST 2012
Le 03/07/2012 10:53, Tarek Ziadé a écrit :
> On 7/3/12 4:32 PM, PJ Eby wrote:
>> No, because that's not what the RECORD hashes are for. It's not an
>> intrusion detection system, it's an installer conflict and "oops I
>> edited the wrong file" checker.
>>
>> People who are upset because md5 is low security are correctly
>> understanding that this system *provides no security*. We are not
>> promising ANY security, so *not* using a secure hash is actually
>> preferable. The goal is data integrity against accidental overwrite
>> by dumb installer tools (e.g. distutils) and accidental edits, not
>> security against malicious tampering.
Exactly. Promises of false security do not help users.
> Yeah I don't really understand this debate over md5 hashes here. I
> suggest that we emphasis in PEP 376 the fact that the sole purpose is to
> have a checksum.
Putting that on my list of editions for the PEPs!
Cheers
More information about the Distutils-SIG
mailing list