[Catalog-sig] hash tags

Christian Heimes christian at python.org
Fri Mar 8 23:02:11 CET 2013

Am 08.03.2013 22:43, schrieb Daniel Holth:
> Check out https://blake2.net/ ; it is both faster and more secure than
> md5. md5 does have to go, no matter how secure it is in this
> particular application. SHA2 is the only choice that doesn't require a
> long explanation. When this came up a little less than a year ago we
> talked about maybe including the SHA2 hash in one of the link
> attributes <a href= something="hash"> for the benefit of old clients.

Let's not add yet another crypto hash algorithm. :)

We have SHA-1 and SHA-2, that's ought be be enough. SHA-3 is available
for Python 3.4 and I provide stand-alone sources and binaries for 2.6 to
3.3. Blake2 looks nice but we should stick to NIST-approved algorithms.

The combination of file size, MD5 (for legacy reasons), SHA-1 and
perhaps SHA-256 is more than sufficient. Don't forget that files have to
be valid tar.gz, tar.bz2, zip or Windows binaries, too ...


More information about the Catalog-SIG mailing list