-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aloha!
The prefix is a good idea but since it's just a checksum to control
that the file hasn't changed
what's wrong with using a weak hash algorithm like md5 or now sha1 ?
Because it creates a dependency to an old algorithm that should be
deprecated. Also using MD5, even for a thing like this might make people
belive that it is an ok algorithm to use - "Hey, it is used by the
default install in Python, so it must be ok, right?"
If we flip the argument around: Why would you want to use MD5 instead of
SHA-256? For the specific use case the performance will not (should not)
be an issue.
As I wrote a few mails ago, it is time to move forward from MD5 and
designing something in 2009 that will be around for many years that uses
MD5 is (IMHO) a bad design decision.
If someone wants to modify a file of a distribution he can recreate
the checksum as well,
the only secured way to prevent that would be to use gpg keys but
isn't that overkill for what we need ?
Actually, adding this type of security would IMHO be a good idea.
- --
Med vänlig hälsning, Yours
Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
Kryptoblog - IT-säkerhet på svenska
http://www.strombergson.com/kryptoblog
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iEYEARECAAYFAkpMsuYACgkQZoPr8HT30QELagCghfYyHyK5jnkS8DlaQ2ZX4KR8
W+YAniWSvWRvm47/xGu0thTaYioETY94
=2x3X
-----END PGP SIGNATURE-----