Skip to content

Use safer hash (sha256/sha3/blake[2|3]) by default and warn on sha1/md5 usage

sha1 is not safe anymore (easy to generate collisions):

https://shattered.io/ https://sha-mbles.github.io/

and md5 is even more broken then sha1, here tool to generate collisions for both md5/sha1 hashes:

https://github.com/corkami/collisions

sha1 is used by default in:

./diffoscope/changes.py

def validate(self, check_hash="sha1", check_signature=True):
def validate_checksums(self, check_hash="sha1"):

fix: use sha256 by default here? emit warning if md5/md5sum/sha1 are used for check_hash that it's no longer safe to use them for validation.

./diffoscope/diff.py

h = hashlib.sha1()
"[ Too much input for diff (SHA1: {}) ]\n".format(
        ] + "[ ... truncated by diffoscope; len: {}, SHA1: {} ... ]".format(
            len(s[sz:]), hashlib.sha1(s[sz:].encode('utf-8')).hexdigest()

./diffoscope/feeders.py

h = hashlib.sha1()
"[ Too much input for diff (SHA1: {}) ]\n".format(

fix:

  • don't use hardcoded string "SHA1" change it to the name of algorithm used by hashlib invocation.
  • use sha256/sha3/blake2/blake3 instead of sha1, for example the hashlib.algorithms_guaranteed on python 3.8.3 return: {'sha3_512', 'blake2b', 'shake_128', 'md5', 'shake_256', 'sha3_224', 'sha3_384', 'blake2s', 'sha256', 'sha3_256', 'sha1', 'sha512', 'sha384', 'sha224'}
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information