[Python-ideas] Using sha512 instead of md5 on python.org/downloads

Nathaniel Smith njs at pobox.com
Fri Dec 7 19:35:56 EST 2018

On Fri, Dec 7, 2018 at 3:38 PM Steven D'Aprano <steve at pearwood.info> wrote:

> On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote:
> > For this specific purpose, md5 is just as good as a proper hash. But all
> > else being equal, it would still be better to use a proper hash, just so
> > people don't have to go through the whole security analysis to check
> that.
> I don't understand what you are trying to say here about "the whole
> security analysis" to check "that". What security analysis, and
> what is "that"?

The analysis that people posted in this thread, demonstrating that for the
particular purpose at hand, md5 and sha-whatever are equally useful.

> It seems to me that moving to a cryptographically-secure hash would give
> many people a false sense of security, that just because the hash
> matched, the download was not only not corrupted, but not compromised as
> well. For those two purposes:
> - testing for accidental corruption;
> - testing for deliberate compromise;
> md5 and sha512 are precisely equivalent: both are sufficient for the
> first, and useless for the second. But a crypto-hash can give a false
> sense of security. The original post in this thread is evidence of that.

If you're worried about giving people a false sense of security, I think it
would be more effective to post a prominent notice or link describing how
people should interpret the hashes. Maybe some people see md5 and think
"ah-hah, this is their way of warning me that the hash is suitable for
defending against accidental corruption but not malicious actors", but it
must be a small minority :-). (That's certainly not what the OP thought.)
Most people will just think we're fools who don't realize or care md5 is
broken. Statistically, that's a pretty reasonable guess when you see
someone using md5.


Nathaniel J. Smith -- https://vorpus.org <http://vorpus.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20181207/3f917492/attachment.html>

More information about the Python-ideas mailing list