[Python-ideas] Using sha512 instead of md5 on python.org/downloads

Ronald Oussoren ronaldoussoren at mac.com
Mon Dec 10 01:31:44 EST 2018



> On 9 Dec 2018, at 18:31, Paul Moore <p.f.moore at gmail.com> wrote:
> 
> None of which is that relevant, the fact still remains that no matter
> what algorithm is used, the hash only has limited value as a security
> measure.

That’s true, but it does show that switching from MD5 to SHA2 doesn’t make it harder to validate the checksum on major platforms. 

I don’t have a strong opinion either way, I’m slightly in favour of switching to the same algorithm as used on PyPI to be consistent within these PSF properties. 

BTW. I wonder how many actually verify these checksums, I personally generally assume that HTTPS downloads are reliable enough and don’t verify checksums unless I do the download in an automation pipeline.

Ronald



More information about the Python-ideas mailing list