[Distutils] a plea for backward-compatibility / smooth transitions (was: Re: Migrating Hashes from MD5 to SHA256)

Nick Coghlan ncoghlan at gmail.com
Mon Jul 29 13:58:07 CEST 2013

On 29 July 2013 19:38, holger krekel <holger at merlinux.eu> wrote:
> Hi Nick, Donald, all,
> On Sun, Jul 28, 2013 at 22:23 +1000, Nick Coghlan wrote:
>> On 28 July 2013 20:55, Donald Stufft <donald at stufft.io> wrote:
>> > Ok so given that:
>> >
>> >     - There's a readably available solution for Python 2.4+ with the likelihood
>> >        being that most users are either using it or using an older version which
>> >        doesn't support SSL.
>> >     - The number of folks likely to be on Python 2.3 and wanting to install things
>> >        from PyPI is likely to be very small.
>> >     - There's possibly a future solution for Python 2.3
>> >     - The safety margins for MD5 are gone and cryptographers heavily suggest
>> >        moving away from it.
> Please detail the actual attack scenario wrt PyPI/installer processes.
>> >     - A revised scheme will break backwards compatibility with the versions of
>> >       the tooling that do support a stronger hash.
>> >
>> > I'm going to go ahead and make this change unless someone comes out and
>> > contests moving PyPI to SHA256. I'll give it a bit to make sure no one does
>> > have an issue with the move.
> Actually, i strongly object further backward-incompatible changes.
> Please (generally) find a way to introduce improvements without breaking
> existing installation processes at the same time.
> For example, in this case pip/easy_install could indicate to PYPI what
> kind of hashes it accepts (through a header or query param or whatever)
> and PyPI could serve it but we'd default to MD5 for now if nothing else
> was requested.  Please also consider the PEP438 vetted registration of
> externals+hashses in this context.  Once things and tools are working
> nicely we can switch to serving a non-MD5 hash as default after a
> sufficient grace period.

Having the improved hashes be opt-in (by the client) strikes me as a
reasonable request.

Yes, this means nothing will actually happen until easy_install/pip
are updated to request those improved hashes and those versions see
significant uptake, but as Holger says, we need to ensure we put
sufficient effort into smoothing out the roller coaster ride that has
been the recent experience of packaging system users.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list