On 2021-03-27 01:54, Theallredman via Python-Dev wrote:
Forgive me if this isn't the correct venue for this question and I ask
your help directing me to the correct place if it is not.
In PEP-376 it states with respect to the valid hashes in a Wheel RECORD
file:
"The hash is either the empty string or the hash algorithm as named in
hashlib.algorithms_guaranteed, followed by the equals character =,
followed by the urlsafe-base64-nopad encoding of the digest
(base64.urlsafe_b64encode(digest) with trailing = removed)."
In PEP-427 it further restricts the valid hashes to omit md5 and sha1
and says:
"The hash algorithm must be sha256 or better; specifically, md5 and sha1
are not permitted."
No where does it define what on what dimension of a hash "better" should
consider. From the context talking about the security of the algorithm
I'd infer that "better" is with respect to collision resistance. If so
does that mean sha224 should also be excluded from wheel RECORD file hashes?
The "256" part refers to it generating a 256-bit signature, so a
"better" one is one that generates a signature that's longer, e.g.
"sha384" and "sha512".
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at
https://mail.python.org/archives/list/python-dev@python.org/message/6RAUURQDHYGQEFNNEZTIEOJ2J3BUMN5B/
Code of Conduct: http://python.org/psf/codeofconduct/
