![](https://secure.gravatar.com/avatar/3b7e6c77a5412587152c9e3f22b41c2a.jpg?s=120&d=mm&r=g)
26 Jul
2013
26 Jul
'13
5:55 p.m.
On Fri, Jul 26, 2013 at 12:25:36PM -0400, Donald Stufft wrote:
PyPI has historically used MD5 in order to verify the downloads. However MD5 is severely broken and is generally regarded as something that should be migrated away from ASAP. From speaking with a number of cryptographers they've more or less said that the major reason they believe that MD5 hasn't had a published pre-image attack is just because it's so broken that most researchers have moved on to newer hashes.
Who said that? That contradicts my beliefs. Thanks! Regards, Zooko