3 Jul
2012
3 Jul
'12
11:14 a.m.
It's embarrassing to see md5 used for any reason. You go to pypi, and every download link has an md5 sum of the package, and you think "what is this archaic system that gives me a useless hash, implicated in such fine situations as the Flame malware and ever-improving attacks against md5?" It is irrelevant that it is "probably good enough for this limited use". You might as well use CRC32; it is much shorter. By re-using RECORD to include a secure hash of every file in an archive, you can sign all the files in the archive by signing RECORD, similar to how jars are signed. The digital signature is right there inside the archive, and if you decide you would rather have a .tar.xz instead of a .zip the signature is still valid.