At Tue, 3 Jul 2012 07:14:43 -0400, Daniel Holth wrote:
It's embarrassing to see md5 used for any reason. You go to pypi, and every download link has an md5 sum of the package, and you think "what is this archaic system that gives me a useless hash, implicated in such fine situations as the Flame malware and ever-improving attacks against md5?" It is irrelevant that it is "probably good enough for this limited use". You might as well use CRC32; it is much shorter.
Yes, you're right, pypi could as well use CRC32. From a security perspective nothing would change, nor if we would switch to sha512, because there is no way to know whether the hash is correct. Without a trust path the hash is pretty useless except for verifying that the download isn't corrupted. And even if we would have trust paths, the md5 attacks are collision attacks, not preimage attacks. That means the security threat you're worrying about is that a developer uploads something to pypi with the intention of replacing that by something else with the same hash without anyone noticing. And although it is worthwhile to protect against such kind of things, you should also ask the question why you're running code from such a developer. And yes, attacks on md5 will only get better, so we should migrate to better hashes in the future. But if there is something to be embarrassed about, it's not the use of md5, but the lack of proper code signing and trust paths between developers. Kind regards, Jeroen Dekkers