On Tuesday, February 12, 2019, Alex Becker <alcubecker@gmail.com> wrote:
Also note that the simple API only includes a single hash for each file, and may use md5 hashes instead of sha256 (technically it may use any of the hash algorithms guaranteed by hashlib, but I've only seen those two). The JSON API will give you *all* the hashes warehouse has for the file, which may be more useful.
MD5 is no longer suitable for verifying package integrity.
> The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor (complexity of 224.1).[18] Further, there is also a chosen-prefix collision attack that can produce a collision for two inputs with specified prefixes within hours, using off-the-shelf computing hardware (complexity 239).[19]
Most likely (someone more familiar with Warehouse could answer this) Warehouse will select sha256 whenever it is available, so the simple API may be just as good for you. But it's something to consider.
File has a .md5_digest, .sha256_digest, and .blake2_256_digest