My two cents. Automation tools should check the PGP signature. The public keys should be obtained once via https from an odd number of different trustworthy sources from a set of well know domains that use DNSSEC. Users should be advised to check the certificate chain from those domains at the first time those keys are downloaded and explicitly agree. This is a more secure schema than simply relying on a checksum that you've got from the same site you've used to download the code. Moving from MD5 from SHA obscures this, by making people believe that this hash should be used for anything more than checking for file corruption.
Em seg, 10 de dez de 2018 às 12:45, Bernardo Sulzbach < berna...@bernardosulzbach.com> escreveu: > If the discussion gets to which SHA-2 should be used, I would like to > point out that SHA-512 is not only twice the width of SHA-256 but also > faster to compute (anecdotally) on most 64-bit platforms. > _______________________________________________ > Python-ideas mailing list > Python-ideas@python.org > https://mail.python.org/mailman/listinfo/python-ideas > Code of Conduct: http://python.org/psf/codeofconduct/ > -- Marcos Eliziário Santos mobile/whatsapp/telegram: +55(21) 9-8027-0156 skype: marcos.elizia...@gmail.com linked-in : https://www.linkedin.com/in/eliziario/
_______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
