Message 369442 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	christian.heimes
Date	2020-05-20.11:32:43
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1589974363.4.0.0200698249561.issue40698@roundup.psfhosted.org>
In-reply-to

Content
The distutils upload command creates a MD5 digest of the file content. This is not compatible with systems with systems that run under a strict security policy that blocks MD5. Possible fixes are: * declare that the MD5 digest is not used for security. Security is provided by TLS/SSL and HTTPS. The digest is just a simple checksum to detect file corruption during upload. * Remove MD5 digest completely * Don't create a MD5 digest if ``hashlib.md5(content)`` fails * Skip the test case if MD5 is not available Does PyPI support other digests, e.g. SHA2-256 digest?

The distutils upload command creates a MD5 digest of the file content. This is not compatible with systems with systems that run under a strict security policy that blocks MD5.

Possible fixes are:

* declare that the MD5 digest is not used for security. Security is provided by TLS/SSL and HTTPS. The digest is just a simple checksum to detect file corruption during upload.
* Remove MD5 digest completely
* Don't create a MD5 digest if ``hashlib.md5(content)`` fails
* Skip the test case if MD5 is not available

Does PyPI support other digests, e.g. SHA2-256 digest?

History
Date	User	Action	Args
2020-05-20 11:32:43	christian.heimes	set	recipients: + christian.heimes
2020-05-20 11:32:43	christian.heimes	set	messageid: <1589974363.4.0.0200698249561.issue40698@roundup.psfhosted.org>
2020-05-20 11:32:43	christian.heimes	link	issue40698 messages
2020-05-20 11:32:43	christian.heimes	create