[Discussion about MD5]
I think there's not much point in discussing MD5 in this context.
When creating new designs, you should always use the current
best and most widely deployed algorithm, IMO.
For Python, this is the SHA-2 family at the moment, since SHA-3 is
not supported by Python's
On Mar 9, 2013, at 9:56 AM, M.-A. Lemburg m...@egenix.com wrote:
[Discussion about MD5]
I think there's not much point in discussing MD5 in this context.
When creating new designs, you should always use the current
best and most widely deployed algorithm, IMO.
For Python, this is the
Am 09.03.2013 02:06, schrieb Giovanni Bajo:
It's a good practice to avoid crypto algorithms whose foundations are known
to be broken. This is one of those cases. If we ever touch code that uses
MD5, we should drop it immediately. There is no reason to keep it and wait
for someone to release
Il giorno 09/mar/2013, alle ore 19:09, Christian Heimes christ...@python.org
ha scritto:
Am 09.03.2013 02:06, schrieb Giovanni Bajo:
It's a good practice to avoid crypto algorithms whose foundations are known
to be broken. This is one of those cases. If we ever touch code that uses
MD5, we
On 08.03.2013 13:15, Christian Heimes wrote:
Am 08.03.2013 12:49, schrieb M.-A. Lemburg:
Together with the added hash tag on the download file URLs (*),
this would solve the availability and the security aspects.
Instead of deprecating external links altogether, we could then
deprecate
Accidentally sent this to only MAL so resending!
On Mar 8, 2013, at 7:50 AM, M.-A. Lemburg m...@egenix.com wrote:
On 08.03.2013 13:15, Christian Heimes wrote:
Am 08.03.2013 12:49, schrieb M.-A. Lemburg:
Together with the added hash tag on the download file URLs (*),
this would solve the
On 08.03.2013 14:09, Donald Stufft wrote:
Accidentally sent this to only MAL so resending!
On Mar 8, 2013, at 7:50 AM, M.-A. Lemburg m...@egenix.com wrote:
On 08.03.2013 13:15, Christian Heimes wrote:
Am 08.03.2013 12:49, schrieb M.-A. Lemburg:
Together with the added hash tag on the
On 08.03.2013 13:50, M.-A. Lemburg wrote:
On 08.03.2013 13:15, Christian Heimes wrote:
I like to propose query string-like
key/value pairs. key/value pairs are more flexible and allow us to
add/remove new information in the future.
Good idea. I'll add that as extension mechanism.
I also
On Fri, Mar 8, 2013 at 7:50 AM, M.-A. Lemburg m...@egenix.com wrote:
After the feedback I got from Holger and Phillip, I'm currently
writing a new version, which drops some of the unneeded
requirements and spells out a few more things.
Here's a very short version...
Installers are modified:
On Mar 8, 2013, at 4:50 AM, M.-A. Lemburg wrote:
On 08.03.2013 13:15, Christian Heimes wrote:
Am 08.03.2013 12:49, schrieb M.-A. Lemburg:
Together with the added hash tag on the download file URLs (*),
this would solve the availability and the security aspects.
Instead of deprecating
On 08.03.2013 20:52, Noah Kantrowitz wrote:
On Mar 8, 2013, at 4:50 AM, M.-A. Lemburg wrote:
On 08.03.2013 13:15, Christian Heimes wrote:
Am 08.03.2013 12:49, schrieb M.-A. Lemburg:
Together with the added hash tag on the download file URLs (*),
this would solve the availability and the
On Fri, Mar 8, 2013 at 2:52 PM, Noah Kantrowitz n...@coderanger.net wrote:
MD5 is _not_ acceptable for anything security related and we shouldn't be
adding anything that increases our dependence on it. MD5's only use in the
packaging world is to make people who forget that TCP has its own
On 08.03.2013 20:16, PJ Eby wrote:
On Fri, Mar 8, 2013 at 7:50 AM, M.-A. Lemburg m...@egenix.com wrote:
After the feedback I got from Holger and Phillip, I'm currently
writing a new version, which drops some of the unneeded
requirements and spells out a few more things.
Here's a very short
On Mar 8, 2013, at 4:12 PM, PJ Eby p...@telecommunity.com wrote:
On Fri, Mar 8, 2013 at 2:52 PM, Noah Kantrowitz n...@coderanger.net wrote:
MD5 is _not_ acceptable for anything security related and we shouldn't be
adding anything that increases our dependence on it. MD5's only use in the
On 08.03.2013 20:16, PJ Eby wrote:
On Fri, Mar 8, 2013 at 7:50 AM, M.-A. Lemburg m...@egenix.com wrote:
So far the only practical problem I've found with the approach
is that the download page may not contain dynamic data, e.g.
a date or timestamp, since that causes the hash tag not to
On Mar 8, 2013, at 4:12 PM, PJ Eby p...@telecommunity.com wrote:
On Fri, Mar 8, 2013 at 2:52 PM, Noah Kantrowitz n...@coderanger.net wrote:
MD5 is _not_ acceptable for anything security related and we shouldn't be
adding anything that increases our dependence on it. MD5's only use in the
On Mar 8, 2013, at 4:28 PM, M.-A. Lemburg m...@egenix.com wrote:
BTW: If we go with the CDN caching model for external files, we'd
pull the download page links directly on the /simple/ index
page - as files, not external links.
We cannot download and rehost (even if we call it a cache)
On Mar 8, 2013, at 1:33 PM, Donald Stufft wrote:
On Mar 8, 2013, at 4:28 PM, M.-A. Lemburg m...@egenix.com wrote:
BTW: If we go with the CDN caching model for external files, we'd
pull the download page links directly on the /simple/ index
page - as files, not external links.
We cannot
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Am 08.03.2013 22:33, schrieb Donald Stufft:
On Mar 8, 2013, at 4:28 PM, M.-A. Lemburg m...@egenix.com
wrote:
BTW: If we go with the CDN caching model for external files,
we'd pull the download page links directly on the /simple/ index
page -
On Mar 8, 2013, at 4:50 PM, Christian Heimes christ...@python.org wrote:
Am 08.03.2013 22:33, schrieb Donald Stufft:
On Mar 8, 2013, at 4:28 PM, M.-A. Lemburg m...@egenix.com
wrote:
BTW: If we go with the CDN caching model for external files,
we'd pull the download page links directly
Am 08.03.2013 22:43, schrieb Daniel Holth:
Check out https://blake2.net/ ; it is both faster and more secure than
md5. md5 does have to go, no matter how secure it is in this
particular application. SHA2 is the only choice that doesn't require a
long explanation. When this came up a little
On Mar 8, 2013, at 5:02 PM, Christian Heimes christ...@python.org wrote:
Am 08.03.2013 22:43, schrieb Daniel Holth:
Check out https://blake2.net/ ; it is both faster and more secure than
md5. md5 does have to go, no matter how secure it is in this
particular application. SHA2 is the only
On 08.03.2013 22:47, Donald Stufft wrote:
On Mar 8, 2013, at 4:45 PM, M.-A. Lemburg m...@egenix.com wrote:
On 08.03.2013 22:33, Donald Stufft wrote:
On Mar 8, 2013, at 4:28 PM, M.-A. Lemburg m...@egenix.com wrote:
BTW: If we go with the CDN caching model for external files, we'd
pull the
On Fri, Mar 8, 2013 at 4:17 PM, M.-A. Lemburg m...@egenix.com wrote:
On 08.03.2013 20:16, PJ Eby wrote:
There is, as I said before, a MUCH simpler way to do this, that works
right now: put direct #md5 download links in your description, and
phase out the rel= attributes altogether.
No, that
On Fri, Mar 8, 2013 at 4:26 PM, Donald Stufft don...@stufft.io wrote:
On Mar 8, 2013, at 4:12 PM, PJ Eby p...@telecommunity.com wrote:
On Fri, Mar 8, 2013 at 2:52 PM, Noah Kantrowitz n...@coderanger.net wrote:
MD5 is _not_ acceptable for anything security related and we shouldn't be
adding
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Am 08.03.2013 23:03, schrieb Donald Stufft:
Sha-1 is broken. Sha-2 or better is the only real acceptable one
in the stdlib.
Well, then SHA-384 it is.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with
On Fri, Mar 8, 2013 at 4:28 PM, M.-A. Lemburg m...@egenix.com wrote:
On 08.03.2013 20:16, PJ Eby wrote:
So, since the page only contains links, might as well put the links
straight on PyPI, or at most have an option/tool to load the links
from an external source.
I don't follow you. We only
On Mar 8, 2013, at 5:08 PM, PJ Eby p...@telecommunity.com wrote:
On Fri, Mar 8, 2013 at 4:26 PM, Donald Stufft don...@stufft.io wrote:
On Mar 8, 2013, at 4:12 PM, PJ Eby p...@telecommunity.com wrote:
On Fri, Mar 8, 2013 at 2:52 PM, Noah Kantrowitz n...@coderanger.net wrote:
MD5 is _not_
On Fri, Mar 8, 2013 at 4:32 PM, Donald Stufft don...@stufft.io wrote:
Here's some more information pulled straight from Wikiepdia:
Trust me, I've read a LOT of Wikipedia (and even more from other
sites, including at least the conclusions of a number of cryptography
papers) about hashing attacks
Il giorno 09/mar/2013, alle ore 00:15, Donald Stufft don...@stufft.io ha
scritto:
On Mar 8, 2013, at 5:50 PM, PJ Eby p...@telecommunity.com wrote:
On Fri, Mar 8, 2013 at 4:32 PM, Donald Stufft don...@stufft.io wrote:
Here's some more information pulled straight from Wikiepdia:
Trust
Hi Philip, all,
On Fri, Mar 08, 2013 at 14:16 -0500, PJ Eby wrote:
The key to making this transition isn't creating elaborate new
standards for the tools, it's *creating new tools for the standards*.
If we can find a way to improve PyPI and not require the world to
change first, that's a big
31 matches
Mail list logo