On Tuesday, February 12, 2019, Wes Turner <wes.tur...@gmail.com> wrote:
> > > On Tuesday, February 12, 2019, Alex Becker <alcubec...@gmail.com> wrote: > >> Also note that the simple API only includes a single hash for each file, >> and may use md5 hashes instead of sha256 (technically it may use any of the >> hash algorithms guaranteed by hashlib, but I've only seen those two). The >> JSON API will give you *all* the hashes warehouse has for the file, which >> may be more useful. >> > > MD5 is no longer suitable for verifying package integrity. > > https://en.wikipedia.org/wiki/MD5#Security > > > The security of the MD5 hash function is severely compromised. A > collision attack exists that can find collisions within seconds on a > computer with a 2.6 GHz Pentium 4 processor (complexity of 224.1).[18] > Further, there is also a chosen-prefix collision attack that can produce a > collision for two inputs with specified prefixes within hours, using > off-the-shelf computing hardware (complexity 239).[19] > > [...] > > File has a .md5_digest, .sha256_digest, and .blake2_256_digest > > https://github.com/pypa/warehouse/search?q=md5_digest doesn't show > selection of a hash with precedence; so IDK where that functionality is? > Oh, there it is in https://github.com/pypa/warehouse/blob/master/warehouse/templates/legacy/api/simple/detail.html#L22 : the simple index *only* includes the sha256 hash. > > >> Best, >> >> Alex Becker >> > >> On Tue, Feb 12, 2019 at 9:58 AM Paul Moore <p.f.mo...@gmail.com> wrote: >> >>> On Tue, 12 Feb 2019 at 16:28, Eric Peterson >>> <epeter...@interactivebrokers.com> wrote: >>> > >>> > Brilliant, that's exactly what I was looking for—both the simple API >>> and json API look very useful. Thanks! >>> >>> Just a quick note, the simple API is required for every index server >>> to support, whereas the JSON API is not (yet?) standardised and may >>> not be supported anywhere other than PyPI (I don't know about devpi, >>> for example). This may not matter for your use case, but is useful to >>> know more generally. >>> >>> Paul >>> -- >>> Distutils-SIG mailing list -- distutils-sig@python.org >>> To unsubscribe send an email to distutils-sig-le...@python.org >>> https://mail.python.org/mailman3/lists/distutils-sig.python.org/ >>> Message archived at https://mail.python.org/archiv >>> es/list/distutils-sig@python.org/message/ZOU33JCVN32DWHRU5M >>> JYGOV52BE5JIR3/ >>> >>
-- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/DIRIF65RN4DQX5QAVTQTZPQACI2F7U6A/
