Am 09.03.2013 02:06, schrieb Giovanni Bajo: > It's a good practice to avoid crypto algorithms whose foundations are known > to be broken. This is one of those cases. If we ever touch code that uses > MD5, we should drop it immediately. There is no reason to keep it and wait > for someone to release an attack, so that the world can point fingers at us > and laugh.
Relax, MD5 is still fine to detect broken or partial downloads. Trust me, this still happens a lot with broken proxy servers and unstable network connections. I have seen my fair share of broken files during deployments at works. If we are going to remove MD5 *now*, then we are going to remove the last bit of security from old tools. I agree that MD5 doesn't provide strong cryptographic security. But it's still better than no checksum. I also agree that we should no longer endorse MD5 and move to a strong hash algorithm for checksums. People will point their fingers towards us and laugh about Python when somebody abuses MD5 for an attack on PyPI. file size + MD5 (for legacy) + SHA-2 look good to me. Christian _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
