[issue40698] distutils.command.upload md5_digest

[Donald Stufft]

Donald Stufft <donald at stufft.io> added the comment:

> Does PyPI support other digests, e.g. SHA2-256 digest?

There is a simple and a complicated answer to this.

The simple answer is yes, PyPI supports uploads with any combination of MD5, SHA256, and blake2_256 (blake2b with a 256 digest, no personalization or key). It will also compute all 3 on an upload on it's own and verify that they match any provided hashes and to fill in any missing hashes.

The more complicated answer is the upload API is an old API from long before we started documenting and standardizing them, so when you start talking about non PyPI implementations of that API, what they support is kind of a big who knows.

More to the problem at hand:

We don't rely on this hash for security (We couldn't, it comes in the exact same payload as the artifact itself from the exact same source, someone who can modify the artifact en route can modify the hash too). So the inclusion of MD5 is not a concern.

Removing it *might* break non-PyPI servers that attempted to implement this API and assumed it was a mandatory field (though I do not have any a priori knowledge of this being the case).

Adding additional hashes *might* break non-PyPI servers that assumed what distutils used to send was all it would ever send (this is unlikely though, most web tools ignore unknown form fields).

I looked into what twine is doing here, and it appears it is sending md5, sha256, and blake2_256 hashes all along with every request. However if FIPS mode has disabled MD5 it just skips generating and sending MD5 (but still sends the other two) and it appears it's done this for 2+ years.

It's probably safe to just mimc what twine is doing here, sending all 3 hashes, skip MD5 if it's unavailable.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue40698>
_______________________________________