Devils advocate: it might complicate things for someone that needs to use FIPS, where MD5 can be a pain to deal with.
On Fri, Dec 7, 2018 at 8:50 AM Devin Jeanpierre <jeanpierr...@gmail.com> wrote: > On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <solip...@pitrou.net> wrote: > >> md5 is only used for a quick integrity check here (think of it as a >> sophisticated checksum). For security you need to verify the >> corresponding GPG signature. >> > > More to the point: you're getting the hash from the same place as the > binary. If one is vulnerable to modifications by attackers, both are. So it > doesn't matter. The real defense most people are relying on is TLS. > > -- Devin > _______________________________________________ > Python-ideas mailing list > Python-ideas@python.org > https://mail.python.org/mailman/listinfo/python-ideas > Code of Conduct: http://python.org/psf/codeofconduct/ >
_______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
