PEP 376

Joachim Strömbergson Joachim at
Thu Jul 2 15:15:18 CEST 2009

Hash: SHA1


Tarek Ziadé wrote:
> The prefix is a good idea but since it's just a checksum to control
> that the file hasn't changed
> what's wrong with using a weak hash algorithm like md5 or now sha1 ?

Because it creates a dependency to an old algorithm that should be
deprecated. Also using MD5, even for a thing like this might make people
belive that it is an ok algorithm to use - "Hey, it is used by the
default install in Python, so it must be ok, right?"

If we flip the argument around: Why would you want to use MD5 instead of
SHA-256? For the specific use case the performance will not (should not)
be an issue.

As I wrote a few mails ago, it is time to move forward from MD5 and
designing something in 2009 that will be around for many years that uses
MD5 is (IMHO) a bad design decision.

> If someone wants to modify a file of a distribution he can recreate
> the checksum as well,
> the only secured way to prevent that would be to use gpg keys but
> isn't that overkill for what we need ?

Actually, adding this type of security would IMHO be a good idea.

- --
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
Kryptoblog - IT-säkerhet på svenska
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -


More information about the Python-list mailing list