Devils advocate: it might complicate things for someone that needs to use FIPS, where MD5 can be a pain to deal with.
On Fri, Dec 7, 2018 at 8:50 AM Devin Jeanpierre <[email protected]> wrote: > On Fri, Dec 7, 2018 at 1:40 AM Antoine Pitrou <[email protected]> wrote: > >> md5 is only used for a quick integrity check here (think of it as a >> sophisticated checksum). For security you need to verify the >> corresponding GPG signature. >> > > More to the point: you're getting the hash from the same place as the > binary. If one is vulnerable to modifications by attackers, both are. So it > doesn't matter. The real defense most people are relying on is TLS. > > -- Devin > _______________________________________________ > Python-ideas mailing list > [email protected] > https://mail.python.org/mailman/listinfo/python-ideas > Code of Conduct: http://python.org/psf/codeofconduct/ >
_______________________________________________ Python-ideas mailing list [email protected] https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
