[Distutils] Migrating Hashes from MD5 to SHA256

Donald Stufft donald at stufft.io
Fri Jul 26 21:14:17 CEST 2013 

On Jul 26, 2013, at 2:33 PM, PJ Eby <pje at telecommunity.com> wrote:

> On Fri, Jul 26, 2013 at 12:25 PM, Donald Stufft <donald at stufft.io> wrote:
>> Additionally there is no security list from setuptools versions earlier than 0.7.
> 
> Not true, actually.  Setuptools 0.6 dev releases supported SSL
> verification since mid-May, but don't support any hashes besides MD5.
> Anybody who updated their setuptools between then and the release of
> 0.7 would have that version.  Unfortunately, it's hard to tell how
> many people that is, though I could try and dig through my server logs
> to find out.
> 
> There's also another issue with jumping to SHA256: Python prior to 2.5
> didn't support it.
> 
> Which brings up another point: the setuptools 0.6 series is the only
> setuptools available for Python 2.3.  That's one of the reasons it's
> still available for download.  If you want SSL verification on 2.3,
> it's the only thing available.  (Meanwhile, a lot of people are still
> downloading 0.6c11; probably I should package up an 0.6c12 so those
> folks pick it up instead of 0.6c11.)
> 
> Anyway, this is all somewhat moot since the hashes only matter when
> the download is hosted somewhere besides PyPI, since SSL verification
> is available for the PyPI part.  Even so, I'd suggest that moving to
> SHA1 might be a good intermediate step: it's available on Python 2.3,
> so I could backport the relevant support to the 0.6 branch.  (IIUC,
> Python 2.3 is still the default version for many Linux distros that
> have not reached end-of-life support.)


I don't have a Python 2.3 available to attempt to test. To be honest I've 
never even used Python 2.3. Does the hashlib backport I added to
setuptools 0.9 for Python 2.4 work on 2.3? It's a pure python
implementation of hashlib.

Sha1 is better but it already has weaknesses so if at all possible it
would be much preferred and significantly better to switch to sha256.

Setuptools doesn't appear to include the python version in it's user
agent so I can't get any sort of information about Python 2.3 usage.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130726/50e55dea/attachment.pgp>

More information about the Distutils-SIG mailing list