[Python-ideas] Using sha512 instead of md5 on python.org/downloads

Antoine Pitrou solipsis at pitrou.net
Fri Dec 7 04:39:30 EST 2018


On Fri, 7 Dec 2018 09:53:04 +0100
Miro Hrončok <mhroncok at redhat.com> wrote:
> Hi,
> 
> I see md5 checksums at a release download page such as [1].
> 
> My idea is to switch to sha512 for a more reliable outcome.
> 
> I'm no security expert, but AFAK md5 is generally believed to be unsafe, 
> as it was repeatedly proven it can be vulnerable [2].

md5 is only used for a quick integrity check here (think of it as a
sophisticated checksum).  For security you need to verify the
corresponding GPG signature.

Regards

Antoine.




More information about the Python-ideas mailing list