18 Mar 2011 18 Mar '11
Marius Gedminas wrote:
Please don't hardcode the checksum algorithm to MD5. Security researchers have been telling everyone to stop using MD5 (and SHA1) for a while now.
Good point. All this talking about MD5 specifically has been due to the fact that this is what used to be used by the download API and the gocep.download recipe so far. To take up the idea I posted a few minutes ago, one might specify checksums like this:
[checksums] foo = http://example.org/foo.tgz algorithm:checksum-value
Since the checksum would be evaluated by the download API itself, many checksum algorithms could be used since adding another algorithm in this one place would add it consistently to all pieces of buildout and recipes that download things.