[issue28555] provid also sha-1 and sha-256 also on download links

Benjamin Peterson added the comment: If python.org can be MITMed, it doesn't matter how secure the hash is. On Tue, Nov 8, 2016, at 11:17, Big Stone wrote: > > Big Stone added the comment: > > I fear GPG is not easy stuff for Windows users. > > I fear a bunch of people on this network can

[issue28555] provid also sha-1 and sha-256 also on download links

Big Stone added the comment: I fear GPG is not easy stuff for Windows users. I fear a bunch of people on this network can circomvent DNS and make python.org points to the wrong place. sha-1 instead of md5 would have been an improvement. -- ___

[issue28555] provid also sha-1 and sha-256 also on download links

Benjamin Peterson added the comment: md5 is provided to verify the integrity of the download only. Use the GPG signatures to verify authenticity if the fact that all the downloads are served over HTTPS is insufficient. -- nosy: +benjamin.peterson resolution: -> wont fix status: open

[issue28555] provid also sha-1 and sha-256 also on download links

Changes by Berker Peksag : -- nosy: +ned.deily ___ Python tracker ___ ___

[issue28555] provid also sha-1 and sha-256 also on download links

Big Stone added the comment: oups ! i mean "ON several sites" -- versions: +Python 3.6 ___ Python tracker ___

[issue28555] provid also sha-1 and sha-256 also on download links

New submission from Big Stone: It would be nice to have also sha-1 and sha-256 provided with python-360b3 download links and annoucement (so no separate sites). md5 is dangerously easy to workaround nowodays -- messages: 279666 nosy: Big Stone priority: normal severity: normal status: