Issue 28555: provid also sha-1 and sha-256 also on download links

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/72741

classification

Title:	provid also sha-1 and sha-256 also on download links
Type:		Stage:
Components:		Versions:	Python 3.6

process

Status:	closed	Resolution:	wont fix
Dependencies:		Superseder:
Assigned To:		Nosy List:	Big Stone, benjamin.peterson, ned.deily
Priority:	normal	Keywords:

Created on 2016-10-29 09:14 by Big Stone, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg279666 - (view)	Author: Big Stone (Big Stone)	Date: 2016-10-29 09:14
It would be nice to have also sha-1 and sha-256 provided with python-360b3 download links and annoucement (so no separate sites). md5 is dangerously easy to workaround nowodays
msg279667 - (view)	Author: Big Stone (Big Stone)	Date: 2016-10-29 09:16
oups ! i mean "ON several sites"
msg280286 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2016-11-08 07:33
md5 is provided to verify the integrity of the download only. Use the GPG signatures to verify authenticity if the fact that all the downloads are served over HTTPS is insufficient.
msg280336 - (view)	Author: Big Stone (Big Stone)	Date: 2016-11-08 19:17
I fear GPG is not easy stuff for Windows users. I fear a bunch of people on this network can circomvent DNS and make python.org points to the wrong place. sha-1 instead of md5 would have been an improvement.
msg280361 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2016-11-08 23:22
If python.org can be MITMed, it doesn't matter how secure the hash is. On Tue, Nov 8, 2016, at 11:17, Big Stone wrote: > > Big Stone added the comment: > > I fear GPG is not easy stuff for Windows users. > > I fear a bunch of people on this network can circomvent DNS and make > python.org points to the wrong place. > > sha-1 instead of md5 would have been an improvement. > > ---------- > > _______________________________________ > Python tracker <report@bugs.python.org> > <http://bugs.python.org/issue28555> > _______________________________________

History
Date	User	Action	Args
2022-04-11 14:58:38	admin	set	github: 72741
2016-11-08 23:22:44	benjamin.peterson	set	messages: + msg280361
2016-11-08 19:17:32	Big Stone	set	messages: + msg280336
2016-11-08 07:33:06	benjamin.peterson	set	status: open -> closed nosy: + benjamin.peterson messages: + msg280286 resolution: wont fix
2016-11-07 13:59:02	berker.peksag	set	nosy: + ned.deily
2016-10-29 09:16:09	Big Stone	set	messages: + msg279667 versions: + Python 3.6
2016-10-29 09:14:27	Big Stone	create