[Catalog-sig] hash tags

Donald Stufft donald at stufft.io
Fri Mar 8 23:03:30 CET 2013

On Mar 8, 2013, at 5:02 PM, Christian Heimes <christian at python.org> wrote:

> Am 08.03.2013 22:43, schrieb Daniel Holth:
>> Check out https://blake2.net/ ; it is both faster and more secure than
>> md5. md5 does have to go, no matter how secure it is in this
>> particular application. SHA2 is the only choice that doesn't require a
>> long explanation. When this came up a little less than a year ago we
>> talked about maybe including the SHA2 hash in one of the link
>> attributes <a href= something="hash"> for the benefit of old clients.
> Let's not add yet another crypto hash algorithm. :)
> We have SHA-1 and SHA-2, that's ought be be enough. SHA-3 is available
> for Python 3.4 and I provide stand-alone sources and binaries for 2.6 to
> 3.3. Blake2 looks nice but we should stick to NIST-approved algorithms.
> The combination of file size, MD5 (for legacy reasons), SHA-1 and
> perhaps SHA-256 is more than sufficient. Don't forget that files have to
> be valid tar.gz, tar.bz2, zip or Windows binaries, too …

Sha-1 is broken. Sha-2 or better is the only real acceptable one in the stdlib.

> Christian

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130308/bccc8e7d/attachment.pgp>

More information about the Catalog-SIG mailing list