[Distutils] a plea for backward-compatibility / smooth transitions

Ronald Oussoren ronaldoussoren at mac.com
Mon Jul 29 23:32:35 CEST 2013 

On 29 Jul, 2013, at 22:33, Donald Stufft <donald at stufft.io> wrote:

> 
> On Jul 29, 2013, at 3:14 PM, Donald Stufft <donald at stufft.io> wrote:
> 
>> 
>> On Jul 29, 2013, at 2:57 PM, zooko <zooko at zooko.com> wrote:
>> 
>>> I'd like to push back on the other risk, that someone might figure out how to
>>> make MD5 second-pre-images. I don't think this is a risk that we need to
>>> urgently address, and I've written a short note explaining why. This note is
>>> incomplete, badly edited, has not been peer-reviewed, and is not ready for
>>> publication, but I thought it might help folks evaluate how urgent it is to
>>> upgrade from MD5, so here it is.
>> 
>> I don't think it's urgent to fix it, but I think it's a good security hardening effort
>> with very little downside and very little chance of regression. However, as I
>> said if Holger, or anyone else, has a concern about the affects of adding this
>> bit of security hardening to give us a safety net again then I simply won't do
>> it in the simple API.
>> 
>> -----------------
>> Donald Stufft
>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>> 
>> _______________________________________________
>> Distutils-SIG maillist  -  Distutils-SIG at python.org
>> http://mail.python.org/mailman/listinfo/distutils-sig
> 
> Somewhat relevant to the question at hand: http://valerieaurora.org/hash.html
> 
> (Yes it lists sha-2 as weakened, which it is. However sha-3 isn't widespread enough for us :( )

That SHA-3 isn't widespread yet is not a surprise, AFAIK it isn't even a standard yet :-). According to <http://csrc.nist.gov/groups/ST/hash/sha-3/timeline_fips.html> the standard will be finalized in Q2 2014. 

BTW. I agree that the MD5 checksums on PyPI will have to go some time, and it would be nice if the replacement scheme had a way to use multiple hashes to make it easier to switch to a hash in future. I know to little of the setuptools and pip implementations to have anything useful to add to the discussion about the timing for this.

Ronald



> 
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> 
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig

More information about the Distutils-SIG mailing list