This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients antoine.pietri, christian.heimes, loewis, rhettinger, vstinner
Date 2018-10-16.14:42:29
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1539700949.28.0.788709270274.issue34930@psf.upfronthosting.co.za>
In-reply-to
Content 
I talked to some experts (Alex Gaynor, Simo Sorce). They all share my sentiment and are against SHA1DC. The algorithm is just a poor bandaid for a gapping security issue. Everybody was strongly against replacing SHA1 with SHA1DC by default, because it's an incompatible implementation. SHA1DC is only able to counteract some of the known flaws, too. Even git doesn't replace SHA1 with SHA1DC directly. Instead it turns a detected collision into a fatal error [1].

I'm -1 to add it to the Python standard library. Alex pointed out that the lack of SHA1DC in OpenSSL is a clear sign that it's not generally useful. SHA1DC may be useful for few applications like git. In general it's not a fool-proof safety net for SHA1.

[1] https://github.com/git/git/blob/master/sha1dc_git.c#L17-L23
History
Date User Action Args
2018-10-16 14:42:29christian.heimessetrecipients: + christian.heimes, loewis, rhettinger, vstinner, antoine.pietri
2018-10-16 14:42:29christian.heimessetmessageid: <1539700949.28.0.788709270274.issue34930@psf.upfronthosting.co.za>
2018-10-16 14:42:29christian.heimeslinkissue34930 messages
2018-10-16 14:42:29christian.heimescreate