[Distutils] Migrating Hashes from MD5 to SHA256
ncoghlan at gmail.com
Sun Jul 28 14:23:58 CEST 2013
On 28 July 2013 20:55, Donald Stufft <donald at stufft.io> wrote:
> Ok so given that:
> - There's a readably available solution for Python 2.4+ with the likelihood
> being that most users are either using it or using an older version which
> doesn't support SSL.
> - The number of folks likely to be on Python 2.3 and wanting to install things
> from PyPI is likely to be very small.
> - There's possibly a future solution for Python 2.3
> - The safety margins for MD5 are gone and cryptographers heavily suggest
> moving away from it.
> - A revised scheme will break backwards compatibility with the versions of
> the tooling that do support a stronger hash.
> I'm going to go ahead and make this change unless someone comes out and
> contests moving PyPI to SHA256. I'll give it a bit to make sure no one does
> have an issue with the move.
+1, this sounds like a good way forward for the existing PyPI interfaces.
We can do something better once the focus shifts from "make the status
quo not broken" to making the next generation interfaces a reality
(PEP 426 et al).
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Distutils-SIG