> On 9 Dec 2018, at 18:31, Paul Moore <p.f.mo...@gmail.com> wrote: > > None of which is that relevant, the fact still remains that no matter > what algorithm is used, the hash only has limited value as a security > measure.
That’s true, but it does show that switching from MD5 to SHA2 doesn’t make it harder to validate the checksum on major platforms. I don’t have a strong opinion either way, I’m slightly in favour of switching to the same algorithm as used on PyPI to be consistent within these PSF properties. BTW. I wonder how many actually verify these checksums, I personally generally assume that HTTPS downloads are reliable enough and don’t verify checksums unless I do the download in an automation pipeline. Ronald _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/