[Distutils] Migrating Hashes from MD5 to SHA256

Nick Coghlan ncoghlan at gmail.com
Sun Jul 28 14:23:58 CEST 2013

On 28 July 2013 20:55, Donald Stufft <donald at stufft.io> wrote:
> Ok so given that:
>     - There's a readably available solution for Python 2.4+ with the likelihood
>        being that most users are either using it or using an older version which
>        doesn't support SSL.
>     - The number of folks likely to be on Python 2.3 and wanting to install things
>        from PyPI is likely to be very small.
>     - There's possibly a future solution for Python 2.3
>     - The safety margins for MD5 are gone and cryptographers heavily suggest
>        moving away from it.
>     - A revised scheme will break backwards compatibility with the versions of
>       the tooling that do support a stronger hash.
> I'm going to go ahead and make this change unless someone comes out and
> contests moving PyPI to SHA256. I'll give it a bit to make sure no one does
> have an issue with the move.

+1, this sounds like a good way forward for the existing PyPI interfaces.

We can do something better once the focus shifts from "make the status
quo not broken" to making the next generation interfaces a reality
(PEP 426 et al).


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list