On Tuesday, February 12, 2019, Alex Becker <alcubec...@gmail.com> wrote:
> Also note that the simple API only includes a single hash for each file, > and may use md5 hashes instead of sha256 (technically it may use any of the > hash algorithms guaranteed by hashlib, but I've only seen those two). The > JSON API will give you *all* the hashes warehouse has for the file, which > may be more useful. > MD5 is no longer suitable for verifying package integrity. https://en.wikipedia.org/wiki/MD5#Security > The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor (complexity of 224.1).[18] Further, there is also a chosen-prefix collision attack that can produce a collision for two inputs with specified prefixes within hours, using off-the-shelf computing hardware (complexity 239).[19] > > > Most likely (someone more familiar with Warehouse could answer this) > Warehouse will select sha256 whenever it is available, so the simple API > may be just as good for you. But it's something to consider. > https://github.com/pypa/warehouse/blob/master/warehouse/legacy/api/simple.py https://github.com/pypa/warehouse/blob/master/tests/unit/legacy/api/test_simple.py https://github.com/pypa/warehouse/blob/master/warehouse/packaging/models.py File has a .md5_digest, .sha256_digest, and .blake2_256_digest https://github.com/pypa/warehouse/search?q=md5_digest doesn't show selection of a hash with precedence; so IDK where that functionality is? > Best, > > Alex Becker > > On Tue, Feb 12, 2019 at 9:58 AM Paul Moore <p.f.mo...@gmail.com> wrote: > >> On Tue, 12 Feb 2019 at 16:28, Eric Peterson >> <epeter...@interactivebrokers.com> wrote: >> > >> > Brilliant, that's exactly what I was looking for—both the simple API >> and json API look very useful. Thanks! >> >> Just a quick note, the simple API is required for every index server >> to support, whereas the JSON API is not (yet?) standardised and may >> not be supported anywhere other than PyPI (I don't know about devpi, >> for example). This may not matter for your use case, but is useful to >> know more generally. >> >> Paul >> -- >> Distutils-SIG mailing list -- distutils-sig@python.org >> To unsubscribe send an email to distutils-sig-le...@python.org >> https://mail.python.org/mailman3/lists/distutils-sig.python.org/ >> Message archived at https://mail.python.org/archives/list/distutils-sig@ >> python.org/message/ZOU33JCVN32DWHRU5MJYGOV52BE5JIR3/ >> >
-- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/XLH7JLJHQUOSGBJVU4AVBMAFFQBRABGT/
