[Catalog-sig] hash tags

Christian Heimes christian at python.org
Sat Mar 9 19:09:37 CET 2013

Am 09.03.2013 02:06, schrieb Giovanni Bajo:
> It's a good practice to avoid crypto algorithms whose foundations are known to be broken. This is one of those cases. If we ever touch code that uses MD5, we should drop it immediately. There is no reason to keep it and wait for someone to release an attack, so that the world can point fingers at us and laugh.

Relax, MD5 is still fine to detect broken or partial downloads. Trust
me, this still happens a lot with broken proxy servers and unstable
network connections. I have seen my fair share of broken files during
deployments at works.

If we are going to remove MD5 *now*, then we are going to remove the
last bit of security from old tools. I agree that MD5 doesn't provide
strong cryptographic security. But it's still better than no checksum.

I also agree that we should no longer endorse MD5 and move to a strong
hash algorithm for checksums. People will point their fingers towards us
and laugh about Python when somebody abuses MD5 for an attack on PyPI.

file size + MD5 (for legacy) + SHA-2 look good to me.


More information about the Catalog-SIG mailing list