[Python-ideas] Using sha512 instead of md5 on python.org/downloads
mhroncok at redhat.com
Mon Dec 10 05:11:21 EST 2018
Dne 07. 12. 18 v 15:49 Devin Jeanpierre napsal(a):
> On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <solipsis at pitrou.net
> <mailto:solipsis at pitrou.net>> wrote:
> md5 is only used for a quick integrity check here (think of it as a
> sophisticated checksum). For security you need to verify the
> corresponding GPG signature.
> More to the point: you're getting the hash from the same place as the
> binary. If one is vulnerable to modifications by attackers, both are. So
> it doesn't matter. The real defense most people are relying on is TLS.
Yes I really on TLS, no I'm not getting the archive necessarily from
python.org. I might get it from a 3rd parrty that claims it's genuine.
Such party might be a Linux distro or another package manager (e.g.
I can of course use GPG to verify it, but for quick check a sha512 sum
works for me, while md5 not so much.
In Fedora, we use sha512 checksums . In homebrew they use sha256 .
More information about the Python-ideas