Le 03/07/2012 10:53, Tarek Ziadé a écrit :
On 7/3/12 4:32 PM, PJ Eby wrote:
No, because that's not what the RECORD hashes are for. It's not an intrusion detection system, it's an installer conflict and "oops I edited the wrong file" checker.
People who are upset because md5 is low security are correctly understanding that this system *provides no security*. We are not promising ANY security, so *not* using a secure hash is actually preferable. The goal is data integrity against accidental overwrite by dumb installer tools (e.g. distutils) and accidental edits, not security against malicious tampering.
Exactly. Promises of false security do not help users.
Yeah I don't really understand this debate over md5 hashes here. I suggest that we emphasis in PEP 376 the fact that the sole purpose is to have a checksum.
Putting that on my list of editions for the PEPs! Cheers