classification
Title: provid also sha-1 and sha-256 also on download links
Type: Stage:
Components: Versions: Python 3.6
process
Status: closed Resolution: wont fix
Dependencies: Superseder:
Assigned To: Nosy List: Big Stone, benjamin.peterson, ned.deily
Priority: normal Keywords:

Created on 2016-10-29 09:14 by Big Stone, last changed 2016-11-08 23:22 by benjamin.peterson. This issue is now closed.

Messages (5)
msg279666 - (view) Author: Big Stone (Big Stone) Date: 2016-10-29 09:14
It would be nice to have also sha-1 and sha-256 provided with python-360b3 download links and annoucement (so no separate sites).

md5 is dangerously easy to workaround nowodays
msg279667 - (view) Author: Big Stone (Big Stone) Date: 2016-10-29 09:16
oups ! i mean "ON several sites"
msg280286 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2016-11-08 07:33
md5 is provided to verify the integrity of the download only. Use the GPG signatures to verify authenticity if the fact that all the downloads are served over HTTPS is insufficient.
msg280336 - (view) Author: Big Stone (Big Stone) Date: 2016-11-08 19:17
I fear GPG is not easy stuff for Windows users.

I fear a bunch of people on this network can circomvent DNS and make python.org points to the wrong place.

sha-1 instead of md5 would have been an improvement.
msg280361 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2016-11-08 23:22
If python.org can be MITMed, it doesn't matter how secure the hash is.

On Tue, Nov 8, 2016, at 11:17, Big Stone wrote:
>
> Big Stone added the comment:
>
> I fear GPG is not easy stuff for Windows users.
>
> I fear a bunch of people on this network can circomvent DNS and make
> python.org points to the wrong place.
>
> sha-1 instead of md5 would have been an improvement.
>
> ----------
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue28555>
> _______________________________________
History
Date User Action Args
2016-11-08 23:22:44benjamin.petersonsetmessages: + msg280361
2016-11-08 19:17:32Big Stonesetmessages: + msg280336
2016-11-08 07:33:06benjamin.petersonsetstatus: open -> closed

nosy: + benjamin.peterson
messages: + msg280286

resolution: wont fix
2016-11-07 13:59:02berker.peksagsetnosy: + ned.deily
2016-10-29 09:16:09Big Stonesetmessages: + msg279667
versions: + Python 3.6
2016-10-29 09:14:27Big Stonecreate