Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Constrain allowed hash algos to "better than sha256" of PEP 427 #4

Open
MrMino opened this issue Mar 28, 2021 · 2 comments
Open

Constrain allowed hash algos to "better than sha256" of PEP 427 #4

MrMino opened this issue Mar 28, 2021 · 2 comments

Comments

@MrMino
Copy link
Owner

MrMino commented Mar 28, 2021

This has surfaced within #3.

PEP 427 declares the following requirement on the RECORD file:

The hash algorithm must be sha256 or better; specifically, md5 and sha1 are not permitted, as signed wheel files rely on the strong hashes in RECORD to validate the integrity of the archive.

It isn't rigorously obvious what does the "or better" mean in this context.

Request clarification on this & when a response is received - improve the WheelRecord class accordingly.

@e2thenegpii
Copy link
Contributor

https://mail.python.org/archives/list/python-dev@python.org/thread/TP5DEDAW5TUQS44BY6RE2HHRRGOL56HZ/

@MrMino
Copy link
Owner Author

MrMino commented Mar 28, 2021

Good, that solves that part then. Looks like only SHA-256, SHA-384, and SHA-512 are permitted? That's a bit weird way to state it...

@MrMino MrMino changed the title Reminder: request clarification on "better than sha256" of PEP 427 Constrain allowed hash algos to "better than sha256" of PEP 427 Mar 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants