On 08/12/2018 05.55, Gregory P. Smith wrote: > > On Fri, Dec 7, 2018 at 3:38 PM Steven D'Aprano > <st...@pearwood.info > <mailto:st...@pearwood.info>> wrote: > > On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote: > > > For this specific purpose, md5 is just as good as a proper hash. > But all > > else being equal, it would still be better to use a proper hash, > just so > > people don't have to go through the whole security analysis to > check that. > > I don't understand what you are trying to say here about "the whole > security analysis" to check "that". What security analysis, and > what is "that"? > > It seems to me that moving to a cryptographically-secure hash would > give > many people a false sense of security, that just because the hash > matched, the download was not only not corrupted, but not > compromised as > well. For those two purposes: > > - testing for accidental corruption; > - testing for deliberate compromise; > > md5 and sha512 are precisely equivalent: both are sufficient for the > first, and useless for the second. But a crypto-hash can give a false > sense of security. The original post in this thread is evidence of that. > > As such, I don't think we should move to anything stronger than md5. > > > If we switched to sha2+ or listed 8 different hashes at once in the > announcement text so that nobody can find the actual link content, we'd > stop having people pipe up and complain that we used md5 for something. > Less mailing list threads like this one seems like a benefit. :P > > Debian provides all of the popular FIPS hashes, in side files, so people > can use whatever floats their boat for a content integrity check: > https://cdimage.debian.org/debian-cd/current/ppc64el/iso-cd/
By the way it's a common misunderstanding that FIPS forbids MD5 in general. FIPS is more complicated than black and white lists of algorithms. FIPS also takes into account how an algorithm is used. For example and if I recall correctly, AES-GCM is only allowed in network communication protocols but not for persistent storage. Simply speaking: In FIPS mode, MD5 is still allowed in **non-security contexts**. You cannot use MD5 to make any security claims like file integrity. However you are still allowed to use MD5 as non-secure hash function to detect file corruption. The design and documentation must clearly state that you are only guarding against accidental file corruption caused by network or hardware issue, but as protection against a malicious attacker. Christian _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
