[Python-ideas] Using sha512 instead of md5 on python.org/downloads

Marcos Eliziario marcos.eliziario at gmail.com
Mon Dec 10 10:05:49 EST 2018

My two cents.
Automation tools should check the PGP signature. The public keys should be
obtained once via https from an odd number of different trustworthy sources
from a set of well know domains that use DNSSEC. Users should be advised to
check the certificate chain from those domains at the first time those keys
are downloaded and explicitly agree. This is a more secure schema than
simply relying on a checksum that you've got from the same site you've used
to download the code.
Moving from MD5 from SHA obscures this, by making people believe that this
hash should be used for anything more than checking for file corruption.

Em seg, 10 de dez de 2018 às 12:45, Bernardo Sulzbach <
bernardo at bernardosulzbach.com> escreveu:

> If the discussion gets to which SHA-2 should be used, I would like to
> point out that SHA-512 is not only twice the width of SHA-256 but also
> faster to compute (anecdotally) on most 64-bit platforms.
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/

Marcos Eliziário Santos
mobile/whatsapp/telegram: +55(21) 9-8027-0156
skype: marcos.eliziario at gmail.com
linked-in : https://www.linkedin.com/in/eliziario/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20181210/4d900cc2/attachment.html>

More information about the Python-ideas mailing list