PEP 376

Joachim Strömbergson Joachim at
Tue Jun 30 23:19:52 EDT 2009

Hash: SHA1


Carl Banks wrote:
> On Jun 30, 5:55 pm, Lawrence D'Oliveiro <l... at geek-
> central.gen.new_zealand> wrote:
>> In message <mailman.2410.1246390911.8015.python-l... at>, Tarek
>> Ziadé wrote:
>>> I would like to propose this PEP for inclusion into Python 2.7 / 3.2
>> Why are you using MD5?
> I doubt it's the design aim for eggs to be cryptographically secure,
> and MD5 is sufficient to detect changes.

Even so, choosing md5 in 2009 for something that (hopefully) will be
used in years is a bad design decision. It creates a dependency for to
an algorithm that all sensible recommendations point you to move away
from. Just check hashlib documentation for example:

I would suggest to use the SHA-256 in the library. The reason for this
is that md5 and SHA-1 are weak. The computational complexity of SHA-256
is bigger, but since it probably wont be done many thousands of times
during an egg installation, it shouldn't add a noticable delay.

- --
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
Kryptoblog - IT-säkerhet på svenska
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -


More information about the Python-list mailing list