On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote: > For this specific purpose, md5 is just as good as a proper hash. But all > else being equal, it would still be better to use a proper hash, just so > people don't have to go through the whole security analysis to check that.
I don't understand what you are trying to say here about "the whole security analysis" to check "that". What security analysis, and what is "that"? It seems to me that moving to a cryptographically-secure hash would give many people a false sense of security, that just because the hash matched, the download was not only not corrupted, but not compromised as well. For those two purposes: - testing for accidental corruption; - testing for deliberate compromise; md5 and sha512 are precisely equivalent: both are sufficient for the first, and useless for the second. But a crypto-hash can give a false sense of security. The original post in this thread is evidence of that. As such, I don't think we should move to anything stronger than md5. -- Steve _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
