[Distutils] Migrating Hashes from MD5 to SHA256
Christian Heimes
christian at python.org
Fri Jul 26 21:24:59 CEST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Am 26.07.2013 18:25, schrieb Donald Stufft:
> PyPI has historically used MD5 in order to verify the downloads.
> However MD5 is severely broken and is generally regarded as
> something that should be migrated away from ASAP. From speaking
> with a number of cryptographers they've more or less said that the
> major reason they believe that MD5 hasn't had a published pre-image
> attack is just because it's so broken that most researchers have
> moved on to newer hashes.
>
> Since versions 1.2 pip has supported md5, sha1, and any of the sha2
> family. Additionally it has only supported SSL verification since
> 1.3. This means there is no version of pip which both verifies SSL
> and only allows MD5.
>
> Since version 0.9 setuptools has supported md5, sha1, and any of
> the sha2 family and it has only supported SSL verification since
> 0.7.
>
> I propose we switch PyPI from using MD5 to using SHA256. There is
> no security lost from using a hash that pip prior to version 1.2
> doesn't understand as it didn't verify SSL so an attacker could
> simply modify the hashes if they wanted. Additionally there is no
> security list from setuptools versions earlier than 0.7.
A couple of months ago I suggested a schema that includes MD5, SHA-2
and file size:
file.tar.gz#MD5=1234&SHA-256=abcd&filesize=5023
That should work for old versions of setuptool and can easily be
supported in new versions of pip and setuptools.
A new hash sum scheme must include the possibility to add multiple and
new hash algorithms. A download tool shall check the hash sum for all
supported algorithms, too. I also like to see the file size in the
scheme. It's useful to know the file size in preparation of the
download. The file size validation mitigates some attack possibilities.
Christian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCAAGBQJR8s0HAAoJEMeIxMHUVQ1FO90P+gM6Lx3WZA94Tg8bEco6ckLI
m00Yt+Gwn1HgnF+wSAaxIsThy2C/yltTPqfJiwZGErlzt0tAIdFZhYMbkhzO1//Z
N6i1O+seH5eqMSgUd7K1mgiRIAsKpXH6SEt/U3VzPNm/qVvIV0FFIUTEIx9xXpkD
HYKbup7dkcBkIkhreUpIG4TGEK22/Vcs+G4NjR8UllcqRS4iWrkiKzXuLfnto++t
9fnYfz0uxh2nG3doFGr2gzypLtctrRzAqy28AtlbgGEKaK5E2/hoGrRE8VIBZg+f
SEWKLctTLoOcXHVTaxoAcp+3XzwKZPpGoJzjyLtPFDrH55kZFLA2a25vB51xteLA
A7Kz60eccHe7Io76incJiL+RmorcpUTTp6FRoTCdqDUW2rSmTM1z8tUtenJNAQYG
UnuyRrRbTeQ1JlImdakqXA1X5/qsYLy7kcaf4Xb9SXxIdlEk//0o3tiB4B92oIgF
If5yx65KoKPUCg1pXA/ZawTuH/d1aJQWOjz0eP7Wn+GnEnHxoKIwYMP65xVyNCXU
0afS5lRs7gxtOKlXofWoXO1u7H7EHJQzFbbgdJkSl65mz+hOVMu1w7RQwPb7LzeO
16gnUtvIpXFaab/NCM4UmXuHWLx07jWB4ZJ45zsXuyXa3m4kdt9aMS0oVaSYgA/a
Zq84rJiWc17eItR9iyU5
=ZRue
-----END PGP SIGNATURE-----
More information about the Distutils-SIG
mailing list