Le 03/07/2012 10:53, Tarek Ziadé a écrit :
On 7/3/12 4:32 PM, PJ Eby wrote:
No, because that's not what the RECORD hashes are for. It's not an
intrusion detection system, it's an installer conflict and "oops I
edited the wrong file" checker.
People who are upset because md5 is low security are correctly
understanding that this system *provides no security*. We are not
promising ANY security, so *not* using a secure hash is actually
preferable. The goal is data integrity against accidental overwrite
by dumb installer tools (e.g. distutils) and accidental edits, not
security against malicious tampering.
Exactly. Promises of false security do not help users.
Yeah I don't really understand this debate over md5 hashes here. I
suggest that we emphasis in PEP 376 the fact that the sole purpose is to
have a checksum.
Putting that on my list of editions for the PEPs!
Cheers
_______________________________________________
Distutils-SIG maillist - [email protected]
http://mail.python.org/mailman/listinfo/distutils-sig
