Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Sun, Dec 9, 2018 at 10:32 PM Ronald Oussoren via Python-ideas < python-ideas@python.org> wrote: > BTW. I wonder how many actually verify these checksums, > Hardly anyone -- most of us verify the download by trying to use it :-) Which doesn't mean that we shouldn't have it -- but it will

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

A Hash is surely useful in the context of locking versions of software packages in Pipfile.lock because we tell us that the code we are downloading has not changed since the first we saw this particular version of the package, but only a signature scheme tell us with a reasonable degree of

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

My two cents. Automation tools should check the PGP signature. The public keys should be obtained once via https from an odd number of different trustworthy sources from a set of well know domains that use DNSSEC. Users should be advised to check the certificate chain from those domains at the

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

If the discussion gets to which SHA-2 should be used, I would like to point out that SHA-512 is not only twice the width of SHA-256 but also faster to compute (anecdotally) on most 64-bit platforms. ___ Python-ideas mailing list Python-ideas@python.org

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Sun, 9 Dec 2018 at 15:13, Barry Scott wrote: > > On Windows 10 this works: > > c:Downloads> certutil -hashfile python-3.7.1-amd64.exe sha512 > SHA512 hash of python-3.7.1-amd64.exe: >

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Windows 10 this works: c:Downloads> certutil -hashfile python-3.7.1-amd64.exe sha512 SHA512 hash of python-3.7.1-amd64.exe: 7dec6362c402b38a9c29b85b204398d7d3fd19509f05279bf713a92abe5b485d4c0c4b175c4edb47f81fd800a599bc2283642a8f0c666edd9e971b5cedf18041 CertUtil: -hashfile command completed

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

> On 8 Dec 2018, at 05:14, Steven D'Aprano wrote: > > On Sat, Dec 08, 2018 at 11:05:43AM +0900, INADA Naoki wrote: > >> We already use SHA256 on PyPI. >> Many project in the world moving from md5 to SHA256. > [...] > > > How easy is it to use sha256 on the major platforms, compared to md5?

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Fri, 7 Dec 2018 11:54:59 -0800 Devin Jeanpierre wrote: > On Fri, Dec 7, 2018 at 10:48 AM Antoine Pitrou wrote: > > > If the site is vulnerable to modifications, then TLS doesn't help. > > Again: you must verify the GPG signatures (since they are produced by > > the release manager's private

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On 08/12/2018 05.55, Gregory P. Smith wrote: > > On Fri, Dec 7, 2018 at 3:38 PM Steven D'Aprano > > wrote: > > On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote: > > > For this specific purpose, md5 is just as good as a proper hash. > But

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Fri, Dec 07, 2018 at 08:55:53PM -0800, "Gregory P. Smith" wrote: > Debian provides all of the popular FIPS hashes... [skip] > https://cdimage.debian.org/debian-cd/current/ppc64el/iso-cd/ And they protect the hash files by signing them instead of signing CDs/DVDs. > -gps Oleg. --

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Fri, Dec 7, 2018 at 3:38 PM Steven D'Aprano wrote: > On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote: > > > For this specific purpose, md5 is just as good as a proper hash. But all > > else being equal, it would still be better to use a proper hash, just so > > people don't

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Sat, Dec 08, 2018 at 11:05:43AM +0900, INADA Naoki wrote: > We already use SHA256 on PyPI. > Many project in the world moving from md5 to SHA256. [...] How easy is it to use sha256 on the major platforms, compared to md5? On Linux, it is just as easy: [steve@ando ~]$ md5sum x.py

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Fri, Dec 07, 2018 at 04:35:56PM -0800, Nathaniel Smith wrote: > On Fri, Dec 7, 2018 at 3:38 PM Steven D'Aprano wrote: > > > On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote: > > > > > For this specific purpose, md5 is just as good as a proper hash. But all > > > else being

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

> > It seems to me that moving to a cryptographically-secure hash would give > many people a false sense of security, that just because the hash > matched, the download was not only not corrupted, but not compromised as > well. For those two purposes: > > - testing for accidental corruption; > -

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Fri, Dec 7, 2018 at 3:38 PM Steven D'Aprano wrote: > On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote: > > > For this specific purpose, md5 is just as good as a proper hash. But all > > else being equal, it would still be better to use a proper hash, just so > > people don't

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote: > For this specific purpose, md5 is just as good as a proper hash. But all > else being equal, it would still be better to use a proper hash, just so > people don't have to go through the whole security analysis to check that. I

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

For this specific purpose, md5 is just as good as a proper hash. But all else being equal, it would still be better to use a proper hash, just so people don't have to go through the whole security analysis to check that. Of course all else isn't equal: switching from md5 to sha-whatever would

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Fri, Dec 7, 2018 at 10:48 AM Antoine Pitrou wrote: > If the site is vulnerable to modifications, then TLS doesn't help. > Again: you must verify the GPG signatures (since they are produced by > the release manager's private key, which is *not* stored on the > python.org Web site). > This is

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

Would this change actually help people who need to use FIPS? Other than that this change would only decrease the already very small probability of a corrupted download hashing the same, which isn't a bad thing. If it could make some users' jobs easier, even if it by no means helps guaranteeing

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Fri, 7 Dec 2018 06:49:59 -0800 Devin Jeanpierre wrote: > On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou wrote: > > > md5 is only used for a quick integrity check here (think of it as a > > sophisticated checksum). For security you need to verify the > > corresponding GPG signature. > > >

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

Devils advocate: it might complicate things for someone that needs to use FIPS, where MD5 can be a pain to deal with. On Fri, Dec 7, 2018 at 8:50 AM Devin Jeanpierre wrote: > On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou wrote: > >> md5 is only used for a quick integrity check here (think of

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou wrote: > md5 is only used for a quick integrity check here (think of it as a > sophisticated checksum). For security you need to verify the > corresponding GPG signature. > More to the point: you're getting the hash from the same place as the

Re: [Python-ideas] Using sha512 instead of md5 on python.org/downloads

On Fri, 7 Dec 2018 09:53:04 +0100 Miro Hrončok wrote: > Hi, > > I see md5 checksums at a release download page such as [1]. > > My idea is to switch to sha512 for a more reliable outcome. > > I'm no security expert, but AFAK md5 is generally believed to be unsafe, > as it was repeatedly

[Python-ideas] Using sha512 instead of md5 on python.org/downloads

Hi, I see md5 checksums at a release download page such as [1]. My idea is to switch to sha512 for a more reliable outcome. I'm no security expert, but AFAK md5 is generally believed to be unsafe, as it was repeatedly proven it can be vulnerable [2]. [1]