Joachim at Strombergson.com
Tue Jun 30 23:19:52 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Carl Banks wrote:
> On Jun 30, 5:55 pm, Lawrence D'Oliveiro <l... at geek-
> central.gen.new_zealand> wrote:
>> In message <mailman.2410.1246390911.8015.python-l... at python.org>, Tarek
>> Ziadé wrote:
>>> I would like to propose this PEP for inclusion into Python 2.7 / 3.2
>> Why are you using MD5?
> I doubt it's the design aim for eggs to be cryptographically secure,
> and MD5 is sufficient to detect changes.
Even so, choosing md5 in 2009 for something that (hopefully) will be
used in years is a bad design decision. It creates a dependency for to
an algorithm that all sensible recommendations point you to move away
from. Just check hashlib documentation for example:
I would suggest to use the SHA-256 in the library. The reason for this
is that md5 and SHA-1 are weak. The computational complexity of SHA-256
is bigger, but since it probably wont be done many thousands of times
during an egg installation, it shouldn't add a noticable delay.
Med vänlig hälsning, Yours
Joachim Strömbergson - Alltid i harmonisk svängning.
Kryptoblog - IT-säkerhet på svenska
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Python-list