[Python-ideas] Using sha512 instead of md5 on python.org/downloads

Antoine Pitrou solipsis at pitrou.net
Mon Dec 10 05:26:15 EST 2018

On Mon, 10 Dec 2018 07:31:44 +0100
Ronald Oussoren via Python-ideas
<python-ideas at python.org> wrote:
> That’s true, but it does show that switching from MD5 to SHA2 doesn’t make it harder to validate the checksum on major platforms. 
> I don’t have a strong opinion either way, I’m slightly in favour of switching to the same algorithm as used on PyPI to be consistent within these PSF properties. 
> BTW. I wonder how many actually verify these checksums, I personally generally assume that HTTPS downloads are reliable enough and don’t verify checksums unless I do the download in an automation pipeline.

Ah, the automation use case is a good point in favor of stronger hashes.
You may have checked the initial download hash and then use it in a
script to make sure later downloads haven't been tempered with.



More information about the Python-ideas mailing list