The default hash function in BaseInstalledDistribution in pip is MD5, but it is never actually invoked?

kexinoh · November 19, 2024, 9:42am

In the BaseInstalledDistribution , there is a get_hash function that allows for a custom hasher to be defined. However, the get_hash in BaseInstalledDistribution is only called by InstalledDistribution . The EggInfoDistribution has its own reimplementation of an MD5 function internally, while InstalledDistribution is set to use SHA256. This means the default MD5 function will never be invoked. Should it be removed? Or should the default MD5 algorithm be changed to SHA256, which sounds more secure, even though it will not be called?

def get_hash(self, data, hasher=None):
        if hasher is None:
            hasher = self.hasher
        if hasher is None:
            hasher = hashlib.md5
            prefix = ''
        else:
            hasher = getattr(hashlib, hasher)
            prefix = '%s=' % self.hasher
        digest = hasher(data).digest()
        digest = base64.urlsafe_b64encode(digest).rstrip(b'=').decode('ascii')
        return '%s%s' % (prefix, digest)

brettcannon · November 20, 2024, 10:44pm

What is a “BaseInstalledDistribution”?

kexinoh · November 21, 2024, 2:32am

pip/src/pip/_vendor/distlib/database.py at fe0925b3c00bf8956a0d33408df692ac364217d4 · pypa/pip
pip used for managing installations.

brettcannon · November 21, 2024, 3:40am

I updated the title to be a bit more descriptive.

saaketp · November 21, 2024, 4:13am

It is actually in distlib distlib/distlib/database.py at c6fc08e9fbc81c4350ecc5c7e9729c5b2711c422 · pypa/distlib · GitHub.
pip just has the vendored copy of it.

I’m not sure this needs discussion here, you can probably directly open an issue in the distlib issue tracker: