[Python-ideas] Using sha512 instead of md5 on python.org/downloads
Miro Hrončok
mhroncok at redhat.com
Mon Dec 10 05:11:21 EST 2018
Dne 07. 12. 18 v 15:49 Devin Jeanpierre napsal(a):
> On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <solipsis at pitrou.net
> <mailto:solipsis at pitrou.net>> wrote:
>
> md5 is only used for a quick integrity check here (think of it as a
> sophisticated checksum). For security you need to verify the
> corresponding GPG signature.
>
>
> More to the point: you're getting the hash from the same place as the
> binary. If one is vulnerable to modifications by attackers, both are. So
> it doesn't matter. The real defense most people are relying on is TLS.
Yes I really on TLS, no I'm not getting the archive necessarily from
python.org. I might get it from a 3rd parrty that claims it's genuine.
Such party might be a Linux distro or another package manager (e.g.
homebrew).
I can of course use GPG to verify it, but for quick check a sha512 sum
works for me, while md5 not so much.
In Fedora, we use sha512 checksums [1]. In homebrew they use sha256 [2].
[1] https://src.fedoraproject.org/rpms/python3/blob/master/f/sources
[2] https://github.com/Homebrew/homebrew-core/blob/master/Formula/python.rb
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
More information about the Python-ideas
mailing list