[Python-ideas] Using sha512 instead of md5 on python.org/downloads
Devin Jeanpierre
jeanpierreda at gmail.com
Fri Dec 7 09:49:59 EST 2018
On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <solipsis at pitrou.net> wrote:
> md5 is only used for a quick integrity check here (think of it as a
> sophisticated checksum). For security you need to verify the
> corresponding GPG signature.
>
More to the point: you're getting the hash from the same place as the
binary. If one is vulnerable to modifications by attackers, both are. So it
doesn't matter. The real defense most people are relying on is TLS.
-- Devin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20181207/8377e503/attachment.html>
More information about the Python-ideas
mailing list