[Python-ideas] Using sha512 instead of md5 on python.org/downloads

Nathaniel Smith njs at pobox.com
Fri Dec 7 16:25:19 EST 2018

For this specific purpose, md5 is just as good as a proper hash. But all
else being equal, it would still be better to use a proper hash, just so
people don't have to go through the whole security analysis to check that.

Of course all else isn't equal: switching from md5 to sha-whatever would
require someone do the work. Is anyone volunteering?

On Fri, Dec 7, 2018, 11:56 Devin Jeanpierre <jeanpierreda at gmail.com wrote:

> On Fri, Dec 7, 2018 at 10:48 AM Antoine Pitrou <solipsis at pitrou.net>
> wrote:
>> If the site is vulnerable to modifications, then TLS doesn't help.
>> Again: you must verify the GPG signatures (since they are produced by
>> the release manager's private key, which is *not* stored on the
>> python.org Web site).
> This is missing the point. They were asking why not to use SHA512. The
> answer is that the hash does not provide any extra security. GPG is
> separate: even if there was no GPG signature, SHA512 would still not
> provide any extra security. That's why I said "more to the point". :P
> Nobody "must" verify the GPG signatures. TLS doesn't protect against
> everything, but neither does GPG. A naive user might just download a public
> GPG key from a compromised python.org and use it to verify the
> compromised release, see everything is "OK", and still be hosed.
> -- Devin
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20181207/ab5e39f1/attachment.html>

More information about the Python-ideas mailing list