[Python-ideas] Using sha512 instead of md5 on python.org/downloads

Devin Jeanpierre jeanpierreda at gmail.com
Fri Dec 7 14:54:59 EST 2018

On Fri, Dec 7, 2018 at 10:48 AM Antoine Pitrou <solipsis at pitrou.net> wrote:

> If the site is vulnerable to modifications, then TLS doesn't help.
> Again: you must verify the GPG signatures (since they are produced by
> the release manager's private key, which is *not* stored on the
> python.org Web site).

This is missing the point. They were asking why not to use SHA512. The
answer is that the hash does not provide any extra security. GPG is
separate: even if there was no GPG signature, SHA512 would still not
provide any extra security. That's why I said "more to the point". :P

Nobody "must" verify the GPG signatures. TLS doesn't protect against
everything, but neither does GPG. A naive user might just download a public
GPG key from a compromised python.org and use it to verify the compromised
release, see everything is "OK", and still be hosed.

-- Devin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20181207/be32d476/attachment.html>

More information about the Python-ideas mailing list