-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aloha!
Tarek Ziadé wrote: > The prefix is a good idea but since it's just a checksum to control > that the file hasn't changed > what's wrong with using a weak hash algorithm like md5 or now sha1 ? Because it creates a dependency to an old algorithm that should be deprecated. Also using MD5, even for a thing like this might make people belive that it is an ok algorithm to use - "Hey, it is used by the default install in Python, so it must be ok, right?" If we flip the argument around: Why would you want to use MD5 instead of SHA-256? For the specific use case the performance will not (should not) be an issue. As I wrote a few mails ago, it is time to move forward from MD5 and designing something in 2009 that will be around for many years that uses MD5 is (IMHO) a bad design decision. > If someone wants to modify a file of a distribution he can recreate > the checksum as well, > the only secured way to prevent that would be to use gpg keys but > isn't that overkill for what we need ? Actually, adding this type of security would IMHO be a good idea. - -- Med vänlig hälsning, Yours Joachim Strömbergson - Alltid i harmonisk svängning. ======================================================================== Kryptoblog - IT-säkerhet på svenska http://www.strombergson.com/kryptoblog ======================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpMsuYACgkQZoPr8HT30QELagCghfYyHyK5jnkS8DlaQ2ZX4KR8 W+YAniWSvWRvm47/xGu0thTaYioETY94 =2x3X -----END PGP SIGNATURE----- -- http://mail.python.org/mailman/listinfo/python-list
