[Distutils] Proposal: drop md5 for sha256
Jeroen Dekkers
jeroen at dekkers.ch
Tue Jul 3 17:57:18 CEST 2012
At Tue, 3 Jul 2012 10:32:43 -0400,
PJ Eby wrote:
>
> On Tue, Jul 3, 2012 at 8:48 AM, Jeroen Dekkers <jeroen at dekkers.ch> wrote:
>
> > And yes, attacks on md5 will only get better, so we should migrate to
> > better hashes in the future.
>
>
> No, because that's not what the RECORD hashes are for. It's not an
> intrusion detection system, it's an installer conflict and "oops I edited
> the wrong file" checker.
Sorry for not being clear, but I totally agree. I was replying to the
md5 on PyPI are embarrassing part and meant that we should migrate to
use better hashes on PyPI in the future.
Jeroen Dekkers
More information about the Distutils-SIG
mailing list