On Fri, Dec 7, 2018 at 3:38 PM Steven D'Aprano wrote:
> On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote:
>
> > For this specific purpose, md5 is just as good as a proper hash. But all
> > else being equal, it would still be better to use a proper hash, just so
> > people don't
On Sat, Dec 08, 2018 at 11:05:43AM +0900, INADA Naoki wrote:
> We already use SHA256 on PyPI.
> Many project in the world moving from md5 to SHA256.
[...]
How easy is it to use sha256 on the major platforms, compared to md5?
On Linux, it is just as easy:
[steve@ando ~]$ md5sum x.py
On Fri, Dec 07, 2018 at 04:35:56PM -0800, Nathaniel Smith wrote:
> On Fri, Dec 7, 2018 at 3:38 PM Steven D'Aprano wrote:
>
> > On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote:
> >
> > > For this specific purpose, md5 is just as good as a proper hash. But all
> > > else being
>
> It seems to me that moving to a cryptographically-secure hash would give
> many people a false sense of security, that just because the hash
> matched, the download was not only not corrupted, but not compromised as
> well. For those two purposes:
>
> - testing for accidental corruption;
> -
On Fri, Dec 7, 2018 at 3:38 PM Steven D'Aprano wrote:
> On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote:
>
> > For this specific purpose, md5 is just as good as a proper hash. But all
> > else being equal, it would still be better to use a proper hash, just so
> > people don't
On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote:
> For this specific purpose, md5 is just as good as a proper hash. But all
> else being equal, it would still be better to use a proper hash, just so
> people don't have to go through the whole security analysis to check that.
I
For this specific purpose, md5 is just as good as a proper hash. But all
else being equal, it would still be better to use a proper hash, just so
people don't have to go through the whole security analysis to check that.
Of course all else isn't equal: switching from md5 to sha-whatever would
On Fri, Dec 7, 2018 at 10:48 AM Antoine Pitrou wrote:
> If the site is vulnerable to modifications, then TLS doesn't help.
> Again: you must verify the GPG signatures (since they are produced by
> the release manager's private key, which is *not* stored on the
> python.org Web site).
>
This is
Would this change actually help people who need to use FIPS?
Other than that this change would only decrease the already very small
probability of a corrupted download hashing the same, which isn't a bad
thing.
If it could make some users' jobs easier, even if it by no means helps
guaranteeing
On Fri, 7 Dec 2018 06:49:59 -0800
Devin Jeanpierre
wrote:
> On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou wrote:
>
> > md5 is only used for a quick integrity check here (think of it as a
> > sophisticated checksum). For security you need to verify the
> > corresponding GPG signature.
> >
>
Devils advocate: it might complicate things for someone that needs to use
FIPS, where MD5 can be a pain to deal with.
On Fri, Dec 7, 2018 at 8:50 AM Devin Jeanpierre
wrote:
> On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou wrote:
>
>> md5 is only used for a quick integrity check here (think of
On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou wrote:
> md5 is only used for a quick integrity check here (think of it as a
> sophisticated checksum). For security you need to verify the
> corresponding GPG signature.
>
More to the point: you're getting the hash from the same place as the
On Fri, 7 Dec 2018 09:53:04 +0100
Miro Hrončok wrote:
> Hi,
>
> I see md5 checksums at a release download page such as [1].
>
> My idea is to switch to sha512 for a more reliable outcome.
>
> I'm no security expert, but AFAK md5 is generally believed to be unsafe,
> as it was repeatedly
Hi,
I see md5 checksums at a release download page such as [1].
My idea is to switch to sha512 for a more reliable outcome.
I'm no security expert, but AFAK md5 is generally believed to be unsafe,
as it was repeatedly proven it can be vulnerable [2].
[1]
14 matches
Mail list logo