[Python-ideas] Using sha512 instead of md5 on python.org/downloads
njs at pobox.com
Fri Dec 7 16:25:19 EST 2018
For this specific purpose, md5 is just as good as a proper hash. But all
else being equal, it would still be better to use a proper hash, just so
people don't have to go through the whole security analysis to check that.
Of course all else isn't equal: switching from md5 to sha-whatever would
require someone do the work. Is anyone volunteering?
On Fri, Dec 7, 2018, 11:56 Devin Jeanpierre <jeanpierreda at gmail.com wrote:
> On Fri, Dec 7, 2018 at 10:48 AM Antoine Pitrou <solipsis at pitrou.net>
>> If the site is vulnerable to modifications, then TLS doesn't help.
>> Again: you must verify the GPG signatures (since they are produced by
>> the release manager's private key, which is *not* stored on the
>> python.org Web site).
> This is missing the point. They were asking why not to use SHA512. The
> answer is that the hash does not provide any extra security. GPG is
> separate: even if there was no GPG signature, SHA512 would still not
> provide any extra security. That's why I said "more to the point". :P
> Nobody "must" verify the GPG signatures. TLS doesn't protect against
> everything, but neither does GPG. A naive user might just download a public
> GPG key from a compromised python.org and use it to verify the
> compromised release, see everything is "OK", and still be hosed.
> -- Devin
> Python-ideas mailing list
> Python-ideas at python.org
> Code of Conduct: http://python.org/psf/codeofconduct/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-ideas