On Mon, 10 Dec 2018 07:31:44 +0100 Ronald Oussoren via Python-ideas <python-ideas@python.org> wrote: > > That’s true, but it does show that switching from MD5 to SHA2 doesn’t make it > harder to validate the checksum on major platforms. > > I don’t have a strong opinion either way, I’m slightly in favour of switching > to the same algorithm as used on PyPI to be consistent within these PSF > properties. > > BTW. I wonder how many actually verify these checksums, I personally > generally assume that HTTPS downloads are reliable enough and don’t verify > checksums unless I do the download in an automation pipeline.
Ah, the automation use case is a good point in favor of stronger hashes. You may have checked the initial download hash and then use it in a script to make sure later downloads haven't been tempered with. Regards Antoine. _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
