[Distutils] Proposal: drop md5 for sha256
Glyph
glyph at twistedmatrix.com
Wed Jul 4 03:29:19 CEST 2012
On Jul 3, 2012, at 5:50 PM, PJ Eby <pje at telecommunity.com> wrote:
> Otherwise, we will have this exact same problem all over again when the replacement "secure" hash is disabled by a newer version of FIPS.
Or, you know, somebody could maintain the dang software and automate the process of producing these hashes. I am slightly baffled by the tone of this thread, like the hash algorithm needs to be set in stone forever. There's a reason that most software treats hashes as pluggable: new algorithms come out every few years, you have to expect that your choice will be obsoleted for some reason (not necessarily just security!) in the future. Granted, there's no real security in this case, but why not use a hash algorithm with less probability of collision?
-glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20120703/77d6ccc9/attachment.html>
More information about the Distutils-SIG
mailing list