[Python-ideas] Using sha512 instead of md5 on python.org/downloads

Miro Hrončok mhroncok at redhat.com
Mon Dec 10 05:11:21 EST 2018

Dne 07. 12. 18 v 15:49 Devin Jeanpierre napsal(a):
> On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <solipsis at pitrou.net 
> <mailto:solipsis at pitrou.net>> wrote:
>     md5 is only used for a quick integrity check here (think of it as a
>     sophisticated checksum).  For security you need to verify the
>     corresponding GPG signature.
> More to the point: you're getting the hash from the same place as the 
> binary. If one is vulnerable to modifications by attackers, both are. So 
> it doesn't matter. The real defense most people are relying on is TLS.

Yes I really on TLS, no I'm not getting the archive necessarily from 
python.org. I might get it from a 3rd parrty that claims it's genuine.

Such party might be a Linux distro or another package manager (e.g. 

I can of course use GPG to verify it, but for quick check a sha512 sum 
works for me, while md5 not so much.

In Fedora, we use sha512 checksums [1]. In homebrew they use sha256 [2].

[1] https://src.fedoraproject.org/rpms/python3/blob/master/f/sources
[2] https://github.com/Homebrew/homebrew-core/blob/master/Formula/python.rb

Miro Hrončok
Phone: +420777974800
IRC: mhroncok

More information about the Python-ideas mailing list