[Distutils] Migrating Hashes from MD5 to SHA256
zooko
zooko at zooko.com
Sat Jul 27 02:55:37 CEST 2013
On Fri, Jul 26, 2013 at 12:25:36PM -0400, Donald Stufft wrote:
> PyPI has historically used MD5 in order to verify the downloads. However MD5 is severely broken and is generally regarded as something that should be migrated away from ASAP. From speaking with a number of cryptographers they've more or less said that the major reason they believe that MD5 hasn't had a published pre-image attack is just because it's so broken that most researchers have moved on to newer hashes.
Who said that? That contradicts my beliefs.
Thanks!
Regards,
Zooko
More information about the Distutils-SIG
mailing list