[Python-ideas] Using sha512 instead of md5 on python.org/downloads
ronaldoussoren at mac.com
Mon Dec 10 01:31:44 EST 2018
> On 9 Dec 2018, at 18:31, Paul Moore <p.f.moore at gmail.com> wrote:
> None of which is that relevant, the fact still remains that no matter
> what algorithm is used, the hash only has limited value as a security
That’s true, but it does show that switching from MD5 to SHA2 doesn’t make it harder to validate the checksum on major platforms.
I don’t have a strong opinion either way, I’m slightly in favour of switching to the same algorithm as used on PyPI to be consistent within these PSF properties.
BTW. I wonder how many actually verify these checksums, I personally generally assume that HTTPS downloads are reliable enough and don’t verify checksums unless I do the download in an automation pipeline.
More information about the Python-ideas