provide modern checksums or hashes for downloads on https://www.python.org

[ghost]

Is your feature request related to a problem? Please describe.
Only MD5 checksums are available, for eg:- on https://www.python.org/downloads/release/python-374/. This is odd since most production grade open-source projects like Go, .NET Core, Ruby, Julia, Ubuntu, Fedora and PHP provide SHA-256 or SHA-512 checksums for verifying integrity of downloads.

This makes it impossible to ask anyone to do anything that involves downloading python.

---

Describe the solution you'd like
It would be great if SHA-256 checksums were also available. preferably in a separate file that works well with tools like

• sha256sum utility. by default, it expects a default filename pair. for eg:- for asd.exe checksum is in asd.exe.SHA256, so sha256sum -c asd.exe.SHA256 can be used to check integrity.
• Get-FileHash cmdlet and other pre-installed utilities.
  and tools like 7-Zip.

---

Describe alternatives you've considered
alternatives are(arranged in no meaningful order)-

1
to use other open-source programming languages that are more up-to-date with

• capable of meeting reasonable requirements
• the requirements of users.
  this is what I do now.

2
since the actual use-case is solving a problem, solve it using other tools that don't have a easily exploitable node at their core of the toolchain. this is currently the most viable alternative. similar to first.

3
using a third-party package manager like

• 'homebrew' on linux, macOS
• 'scoop' or 'choco' on Windows.
  this doesn't actually solve the problem, but makes it easy to hide it and forget about it, for projects that dislike security. also introduces an unnecessary dependency into the environment setup, that can be compromised. this is the alternative, but not for my use-cases.

---

Additional context

Here I will ignore whether they are generated using SHA-2 or SHA-3 as its mostly irrelevant. but for the sake of elaborating obvious things -

• its hard to find that information for each project.
• its hard to verify that information.
• it is reasonable to expect that more modern solutions will be used as they are a better solution.

avoiding OS package managers since they are mostly retro-fitted for this use-case and have other major demerits. and lack essential features since they were designed for a outdated OS.

definitions

• integrity is the "the state of being whole and undivided."
• production grade is any project that meets requirements of being used in a project in production.

obviously, it would be better if

• they were available for all presently supported releases, including preview releases and on pages that are available by users.
• if more future-proof checksums were provided, for eg:- SHA512
• outdated checksums were removed, for eg:- SHA1, MD5

downloading anaconda or miniconda, is to be brief:-

• horrible idea

[ghost]

let me know if you want more details like

• if you want to talk.
• if this issue is irrelevant, in which case, close it as fast as possible.

---

notes -

searched for issues using is:issue releases is:open, 77 issues were closed.
https://github.com/python/cpython repo doesn't have an issues page. and no public chat option is available.

---

tag: downloads

---

@trip23app

[ned-deily]

Thank you for your report and sorry for the delay in responding. The use of legacy md5 checksums for python.org download files is already covered in open issue #1227. As noted there, while it will be good to eliminate the md5 checksums, they are actually redundant as we already provide GPG signature files for each download which are more robust than a simple checksum. I am going to close this issue as a duplicate.