On 29 Jul, 2013, at 22:33, Donald Stufft <don...@stufft.io> wrote: > > On Jul 29, 2013, at 3:14 PM, Donald Stufft <don...@stufft.io> wrote: > >> >> On Jul 29, 2013, at 2:57 PM, zooko <zo...@zooko.com> wrote: >> >>> I'd like to push back on the other risk, that someone might figure out how >>> to >>> make MD5 second-pre-images. I don't think this is a risk that we need to >>> urgently address, and I've written a short note explaining why. This note is >>> incomplete, badly edited, has not been peer-reviewed, and is not ready for >>> publication, but I thought it might help folks evaluate how urgent it is to >>> upgrade from MD5, so here it is. >> >> I don't think it's urgent to fix it, but I think it's a good security >> hardening effort >> with very little downside and very little chance of regression. However, as I >> said if Holger, or anyone else, has a concern about the affects of adding >> this >> bit of security hardening to give us a safety net again then I simply won't >> do >> it in the simple API. >> >> ----------------- >> Donald Stufft >> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA >> >> _______________________________________________ >> Distutils-SIG maillist - Distutils-SIG@python.org >> http://mail.python.org/mailman/listinfo/distutils-sig > > Somewhat relevant to the question at hand: http://valerieaurora.org/hash.html > > (Yes it lists sha-2 as weakened, which it is. However sha-3 isn't widespread > enough for us :( )
That SHA-3 isn't widespread yet is not a surprise, AFAIK it isn't even a standard yet :-). According to <http://csrc.nist.gov/groups/ST/hash/sha-3/timeline_fips.html> the standard will be finalized in Q2 2014. BTW. I agree that the MD5 checksums on PyPI will have to go some time, and it would be nice if the replacement scheme had a way to use multiple hashes to make it easier to switch to a hash in future. I know to little of the setuptools and pip implementations to have anything useful to add to the discussion about the timing for this. Ronald > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > http://mail.python.org/mailman/listinfo/distutils-sig _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
