[Python-ideas] Using sha512 instead of md5 on python.org/downloads
Miro Hrončok
mhroncok at redhat.com
Mon Dec 10 05:11:21 EST 2018
More information about the Python-ideas mailing list
Mon Dec 10 05:11:21 EST 2018
- Previous message (by thread): [Python-ideas] Using sha512 instead of md5 on python.org/downloads
- Next message (by thread): [Python-ideas] Using sha512 instead of md5 on python.org/downloads
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dne 07. 12. 18 v 15:49 Devin Jeanpierre napsal(a): > On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <solipsis at pitrou.net > <mailto:solipsis at pitrou.net>> wrote: > > md5 is only used for a quick integrity check here (think of it as a > sophisticated checksum). For security you need to verify the > corresponding GPG signature. > > > More to the point: you're getting the hash from the same place as the > binary. If one is vulnerable to modifications by attackers, both are. So > it doesn't matter. The real defense most people are relying on is TLS. Yes I really on TLS, no I'm not getting the archive necessarily from python.org. I might get it from a 3rd parrty that claims it's genuine. Such party might be a Linux distro or another package manager (e.g. homebrew). I can of course use GPG to verify it, but for quick check a sha512 sum works for me, while md5 not so much. In Fedora, we use sha512 checksums [1]. In homebrew they use sha256 [2]. [1] https://src.fedoraproject.org/rpms/python3/blob/master/f/sources [2] https://github.com/Homebrew/homebrew-core/blob/master/Formula/python.rb -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok
- Previous message (by thread): [Python-ideas] Using sha512 instead of md5 on python.org/downloads
- Next message (by thread): [Python-ideas] Using sha512 instead of md5 on python.org/downloads
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-ideas mailing list