On Mar 8, 2013, at 5:02 PM, Christian Heimes <christ...@python.org> wrote:
> Am 08.03.2013 22:43, schrieb Daniel Holth: >> Check out https://blake2.net/ ; it is both faster and more secure than >> md5. md5 does have to go, no matter how secure it is in this >> particular application. SHA2 is the only choice that doesn't require a >> long explanation. When this came up a little less than a year ago we >> talked about maybe including the SHA2 hash in one of the link >> attributes <a href= something="hash"> for the benefit of old clients. > > Let's not add yet another crypto hash algorithm. :) > > We have SHA-1 and SHA-2, that's ought be be enough. SHA-3 is available > for Python 3.4 and I provide stand-alone sources and binaries for 2.6 to > 3.3. Blake2 looks nice but we should stick to NIST-approved algorithms. > > The combination of file size, MD5 (for legacy reasons), SHA-1 and > perhaps SHA-256 is more than sufficient. Don't forget that files have to > be valid tar.gz, tar.bz2, zip or Windows binaries, too … Sha-1 is broken. Sha-2 or better is the only real acceptable one in the stdlib. > > Christian ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig