Christian Heimes <li...@cheimes.de> added the comment:
I talked to some experts (Alex Gaynor, Simo Sorce). They all share my sentiment and are against SHA1DC. The algorithm is just a poor bandaid for a gapping security issue. Everybody was strongly against replacing SHA1 with SHA1DC by default, because it's an incompatible implementation. SHA1DC is only able to counteract some of the known flaws, too. Even git doesn't replace SHA1 with SHA1DC directly. Instead it turns a detected collision into a fatal error [1]. I'm -1 to add it to the Python standard library. Alex pointed out that the lack of SHA1DC in OpenSSL is a clear sign that it's not generally useful. SHA1DC may be useful for few applications like git. In general it's not a fool-proof safety net for SHA1. [1] https://github.com/git/git/blob/master/sha1dc_git.c#L17-L23 ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue34930> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
