[Catalog-sig] hash tags

Giovanni Bajo rasky at develer.com
Sat Mar 9 20:20:17 CET 2013

Il giorno 09/mar/2013, alle ore 19:09, Christian Heimes <christian at python.org> ha scritto:

> Am 09.03.2013 02:06, schrieb Giovanni Bajo:
>> It's a good practice to avoid crypto algorithms whose foundations are known to be broken. This is one of those cases. If we ever touch code that uses MD5, we should drop it immediately. There is no reason to keep it and wait for someone to release an attack, so that the world can point fingers at us and laugh.
> Relax, MD5 is still fine to detect broken or partial downloads. Trust
> me, this still happens a lot with broken proxy servers and unstable
> network connections. I have seen my fair share of broken files during
> deployments at works.
> If we are going to remove MD5 *now*, then we are going to remove the
> last bit of security from old tools. I agree that MD5 doesn't provide
> strong cryptographic security. But it's still better than no checksum.

When I say "we should drop it", I obviously meant "replace it with a different algorithm".

The post was intended to make sure that we migrate away from it, since we're touching that code. I wasn't certainly advocating against using any checksum algorithm.
Giovanni Bajo   ::  rasky at develer.com
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130309/9d48bd04/attachment.bin>

More information about the Catalog-SIG mailing list