[Distutils] Migrating Hashes from MD5 to SHA256
Donald Stufft
donald at stufft.io
Sun Jul 28 12:55:20 CEST 2013
Ok so given that:
- There's a readably available solution for Python 2.4+ with the likelihood
being that most users are either using it or using an older version which
doesn't support SSL.
- The number of folks likely to be on Python 2.3 and wanting to install things
from PyPI is likely to be very small.
- There's possibly a future solution for Python 2.3
- The safety margins for MD5 are gone and cryptographers heavily suggest
moving away from it.
- A revised scheme will break backwards compatibility with the versions of
the tooling that do support a stronger hash.
I'm going to go ahead and make this change unless someone comes out and
contests moving PyPI to SHA256. I'll give it a bit to make sure no one does
have an issue with the move.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130728/2f5a8a36/attachment.pgp>
More information about the Distutils-SIG
mailing list