[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Wes Turner
On Tuesday, February 12, 2019, Jeremy Stanley wrote: > On 2019-02-12 18:42:29 -0500 (-0500), Wes Turner wrote: > [...] > > All it has to be is an archive containing a setup.py. > > > > "MD5 considered harmful today: > > Creating a rogue CA certificate" (2008) > >

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Jeremy Stanley
On 2019-02-12 18:42:29 -0500 (-0500), Wes Turner wrote: [...] > All it has to be is an archive containing a setup.py. > > "MD5 considered harmful today: > Creating a rogue CA certificate" (2008) > https://www.win.tue.nl/hashclash/rogue-ca/ You keep trotting out PKI examples as if they have

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Wes Turner
On Tuesday, February 12, 2019, Jeremy Stanley wrote: > On 2019-02-12 17:02:25 -0500 (-0500), Wes Turner wrote: > > On Tuesday, February 12, 2019, Wes Turner wrote: > [...] > > > It is possible to find a nonce value that causes an arbitrary package > to > > > have the same MD5 hash as the actual

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Wes Turner
On Tuesday, February 12, 2019, Trishank Kuppusamy < trishank.kuppus...@datadoghq.com> wrote: > On Tue, Feb 12, 2019 at 5:32 PM Cooper Ry Lees wrote: > >> TUF should be handled via a grant from Facebook this year once Ernest and >> I get this underway: >>

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Jeremy Stanley
On 2019-02-12 17:02:25 -0500 (-0500), Wes Turner wrote: > On Tuesday, February 12, 2019, Wes Turner wrote: [...] > > It is possible to find a nonce value that causes an arbitrary package to > > have the same MD5 hash as the actual package. > > e.g. browsers MUST NOT rely upon MD5 for x.509

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Trishank Kuppusamy
On Tue, Feb 12, 2019 at 5:32 PM Cooper Ry Lees wrote: > TUF should be handled via a grant from Facebook this year once Ernest and > I get this underway: > > https://pyfound.blogspot.com/2018/12/upcoming-pypi-improvements-for-2019.html > > We will take all the help we can get, but we'll have

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Cooper Ry Lees
TUF should be handled via a grant from Facebook this year once Ernest and I get this underway: https://pyfound.blogspot.com/2018/12/upcoming-pypi-improvements-for-2019.html We will take all the help we can get, but

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Wes Turner
On Tuesday, February 12, 2019, Wes Turner wrote: > > > On Tuesday, February 12, 2019, Jeremy Stanley wrote: > >> On 2019-02-12 13:37:20 -0500 (-0500), Wes Turner wrote: >> > MD5 is no longer suitable for verifying package integrity. >> > >> > https://en.wikipedia.org/wiki/MD5#Security >> > >> >

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Wes Turner
On Tuesday, February 12, 2019, Jeremy Stanley wrote: > On 2019-02-12 13:37:20 -0500 (-0500), Wes Turner wrote: > > MD5 is no longer suitable for verifying package integrity. > > > > https://en.wikipedia.org/wiki/MD5#Security > > > > > The security of the MD5 hash function is severely

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Jeremy Stanley
On 2019-02-12 13:37:20 -0500 (-0500), Wes Turner wrote: > MD5 is no longer suitable for verifying package integrity. > > https://en.wikipedia.org/wiki/MD5#Security > > > The security of the MD5 hash function is severely compromised. A > > collision attack exists [...] there is also a

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Jeremy Stanley
On 2019-02-12 12:42:27 -0500 (-0500), Wes Turner wrote: [...] > - cryptographically sign the SHA-256 checksums with a key and retrieve the > corresponding key over a different channel [...] If you're going to use asymmetric cryptography with PKI to sign something, you might as well just directly

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Wes Turner
On Tuesday, February 12, 2019, Wes Turner wrote: > > > On Tuesday, February 12, 2019, Alex Becker wrote: > >> Also note that the simple API only includes a single hash for each file, >> and may use md5 hashes instead of sha256 (technically it may use any of the >> hash algorithms guaranteed by

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Wes Turner
On Tuesday, February 12, 2019, Alex Becker wrote: > Also note that the simple API only includes a single hash for each file, > and may use md5 hashes instead of sha256 (technically it may use any of the > hash algorithms guaranteed by hashlib, but I've only seen those two). The > JSON API will

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Donald Stufft
> On Feb 12, 2019, at 1:27 PM, Dustin Ingram wrote: > > Most likely (someone more familiar with Warehouse could answer this) > Warehouse will select sha256 whenever it is available, so the simple API may > be just as good for you. But it's something to consider. > > The simple API will

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Dustin Ingram
> > Most likely (someone more familiar with Warehouse could answer this) > Warehouse will select sha256 whenever it is available, so the simple API > may be just as good for you. But it's something to consider. > The simple API will always have the sha256 digest, for every file.

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Cooper Ry Lees
> On Feb 12, 2019, at 9:57 AM, Paul Moore wrote: > > On Tue, 12 Feb 2019 at 16:28, Eric Peterson > wrote: >> >> Brilliant, that's exactly what I was looking for—both the simple API and >> json API look very useful. Thanks! > > Just a quick note, the simple API is required for every index

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Alex Becker
Also note that the simple API only includes a single hash for each file, and may use md5 hashes instead of sha256 (technically it may use any of the hash algorithms guaranteed by hashlib, but I've only seen those two). The JSON API will give you *all* the hashes warehouse has for the file, which

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Paul Moore
On Tue, 12 Feb 2019 at 16:28, Eric Peterson wrote: > > Brilliant, that's exactly what I was looking for—both the simple API and json > API look very useful. Thanks! Just a quick note, the simple API is required for every index server to support, whereas the JSON API is not (yet?) standardised

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Wes Turner
On Tuesday, February 12, 2019, Eric Peterson < epeter...@interactivebrokers.com> wrote: > > [...]. I am wondering if there is a programmatic way to access the SHA-256 > for a file (besides just scraping the web page)? Ideally there would be > some way to construct a URL based on the name of the

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Eric Peterson
Brilliant, that's exactly what I was looking for—both the simple API and json API look very useful. Thanks! —Eric On Feb 12, 2019, at 10:31 AM, Dustin Ingram mailto:d...@python.org>> wrote: Hashes are also available via PyPI's JSON

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Dustin Ingram
Hashes are also available via PyPI's JSON API . On Tue, Feb 12, 2019 at 7:15 AM Tzu-ping Chung wrote: > I believe you’re looking for the PEP 503 simple API > . This is what pip uses to > find the

[Distutils] Re: API for SHA-256 fingerprints

2019-02-12 Thread Tzu-ping Chung
I believe you’re looking for the PEP 503 simple API . This is what pip uses to find the hashes (among other things) as well. The hash value is included as a fragment in the URL. TP > On 12/2/2019, at 23:03, Eric Peterson > wrote: > > Hi all, > >