[Distutils] Proposal: drop md5 for sha256

Daniel Holth dholth at gmail.com
Wed Jul 4 20:51:39 CEST 2012


Every hash function is fast enough. Sha256: > 100 megabytes per second on a
single core. Size of one of my normal virtualenv: < 50. The proposal for
record just makes the hash pluggable, so if you have a slow machine and a
very fast disk and verifying distributions is taking too long then you can
do something about it.

I think the skein hash is even faster than md5 while also being modern, but
Jared surely can't use it unless it becomes SHA-3.

But if you really want to save some actual time, use binary packages :-)

Pip install lxml - 1m 51s
Pip install -f file:///temp/wheels lxml - 27s

I am not sure why pip is so slow for me. The lxml binary package install
could take as little as 0.1 seconds if pip wasn't consulting the net.

RPM hashes installed files. It is mostly to avoid accidentally deleting
edited configs, but you can "rpm verify" for other reasons if you want.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20120704/891a3b8b/attachment.html>


More information about the Distutils-SIG mailing list