On Tue, Jul 3, 2012 at 8:48 AM, Jeroen Dekkers <[email protected]> wrote:
> And yes, attacks on md5 will only get better, so we should migrate to > better hashes in the future. No, because that's not what the RECORD hashes are for. It's not an intrusion detection system, it's an installer conflict and "oops I edited the wrong file" checker. People who are upset because md5 is low security are correctly understanding that this system *provides no security*. We are not promising ANY security, so *not* using a secure hash is actually preferable. The goal is data integrity against accidental overwrite by dumb installer tools (e.g. distutils) and accidental edits, not security against malicious tampering.
_______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
