Issue 36316: Provide SHA256 checksums for installers

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/80497

classification

Title:	Provide SHA256 checksums for installers
Type:	security	Stage:	resolved
Components:	Installation	Versions:	Python 3.8, Python 3.7, Python 2.7

process

Created on 2019-03-16 13:18 by fazl, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (2)
msg338083 - (view)	Author: fazl (fazl)	Date: 2019-03-16 13:18
Python is widely used and should use more trustworthy checksums than MD5. Even the successor to MD5 (SHA-1) was considered insecure in 2017. From https://nakedsecurity.sophos.com/2017/02/23/bang-sha-1-collides-at-38762cf7f55934b34d179ae6a4c80cadccbb7f0a/ : "For many years [...] MD5 was widely used [...] but it is now forbidden in the cryptographic world because [...] MD5 collisions are easy to generate on purpose, so the algorithm can no longer be trusted."
msg338091 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2019-03-16 18:28
MD5 isn't a security measure. It's provided for a quick check of integrity.

History
Date	User	Action	Args
2022-04-11 14:59:12	admin	set	github: 80497
2019-03-16 18:28:24	benjamin.peterson	set	status: open -> closed resolution: wont fix messages: + msg338091 stage: resolved
2019-03-16 13:25:36	SilentGhost	set	nosy: + benjamin.peterson
2019-03-16 13:18:34	fazl	create