[Python-ideas] Using sha512 instead of md5 on python.org/downloads
Antoine Pitrou
solipsis at pitrou.net
Fri Dec 7 04:39:30 EST 2018
On Fri, 7 Dec 2018 09:53:04 +0100
Miro Hrončok <mhroncok at redhat.com> wrote:
> Hi,
>
> I see md5 checksums at a release download page such as [1].
>
> My idea is to switch to sha512 for a more reliable outcome.
>
> I'm no security expert, but AFAK md5 is generally believed to be unsafe,
> as it was repeatedly proven it can be vulnerable [2].
md5 is only used for a quick integrity check here (think of it as a
sophisticated checksum). For security you need to verify the
corresponding GPG signature.
Regards
Antoine.
More information about the Python-ideas
mailing list