[Distutils] Migrating Hashes from MD5 to SHA256
PJ Eby
pje at telecommunity.com
Fri Jul 26 20:33:07 CEST 2013
On Fri, Jul 26, 2013 at 12:25 PM, Donald Stufft <donald at stufft.io> wrote:
> Additionally there is no security list from setuptools versions earlier than 0.7.
Not true, actually. Setuptools 0.6 dev releases supported SSL
verification since mid-May, but don't support any hashes besides MD5.
Anybody who updated their setuptools between then and the release of
0.7 would have that version. Unfortunately, it's hard to tell how
many people that is, though I could try and dig through my server logs
to find out.
There's also another issue with jumping to SHA256: Python prior to 2.5
didn't support it.
Which brings up another point: the setuptools 0.6 series is the only
setuptools available for Python 2.3. That's one of the reasons it's
still available for download. If you want SSL verification on 2.3,
it's the only thing available. (Meanwhile, a lot of people are still
downloading 0.6c11; probably I should package up an 0.6c12 so those
folks pick it up instead of 0.6c11.)
Anyway, this is all somewhat moot since the hashes only matter when
the download is hosted somewhere besides PyPI, since SSL verification
is available for the PyPI part. Even so, I'd suggest that moving to
SHA1 might be a good intermediate step: it's available on Python 2.3,
so I could backport the relevant support to the 0.6 branch. (IIUC,
Python 2.3 is still the default version for many Linux distros that
have not reached end-of-life support.)
More information about the Distutils-SIG
mailing list