[Python-ideas] Using sha512 instead of md5 on python.org/downloads

Antoine Pitrou solipsis at pitrou.net
Fri Dec 7 13:47:24 EST 2018

On Fri, 7 Dec 2018 06:49:59 -0800
Devin Jeanpierre <jeanpierreda at gmail.com>
> On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <solipsis at pitrou.net> wrote:
> > md5 is only used for a quick integrity check here (think of it as a
> > sophisticated checksum).  For security you need to verify the
> > corresponding GPG signature.
> >  
> More to the point: you're getting the hash from the same place as the
> binary. If one is vulnerable to modifications by attackers, both are. So it
> doesn't matter. The real defense most people are relying on is TLS.

If the site is vulnerable to modifications, then TLS doesn't help.
Again: you must verify the GPG signatures (since they are produced by
the release manager's private key, which is *not* stored on the
python.org Web site).



More information about the Python-ideas mailing list