Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upGitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Tests should use a modern hash (SHA-256 instead of MD5) #12363
Comments
|
Good idea. Just checked it, python 2.6 supports up to sha512. An implementation can be allowing sha256 (or 512) for new _TESTS as changing all tests at a time is impractical. |
|
SHA-512 would be better than 256, but even better would be using SHA3-512 even if it takes having an additional lib. But definitely SHA-256 at minimum. |
|
SHA3 is not available in stdlib until Python 3.6 http://bugs.python.org/issue16113. I don't think there's a need to bring another external dependency for tests. They don't need cryptographically secure hashes. |
|
@rautamiekka there is a thing like overdoing it, i guess sha128 should be enough to... You should also keep code efficiency in mind, i am using youtube-dl on embedded systems with low recourses and i dont like if there are taken unnecessary recources consuming things if another method can do it also in a sufficient way. I think the only thing that should be prevented here is that by coincidence the same hash will work for two different datastreams, which is even very unprobable with md5 but will be completely unprobable if you use anything from sha128. So imho its good do move away from md5 but you shouldnt overdo it and sha512 will be more then enogh, so do something balanced between efficiency and stability like sha128 or sha265. And dont import any unnecessary libs that have to be baybesitted (like security problems/updates/ (version) incompatibility in external libraries) to and is taking up space |
youtube-dl's download tests all use MD5 as a hash. While it's probably not cryptographically critical that download testing use a secure hash, the world has moved past MD5, and past SHA-1.youtube-dlshould at least support SHA-256 in theinfo_dict, and use whichever hash has been supplied in the_TEST'sinfo_dict.