Remove MD5 checksums

hugovk · hugovk · commit 9ebb6d12b2ad · 2026-02-21T12:57:01.000+02:00
diff --git a/add_to_pydotorg.py b/add_to_pydotorg.py
@@ -172,12 +172,6 @@ def sigfile_for(release: str, rfile: str) -> str:
     return download_root + f"{release}/{rfile}.asc"
 
 
-def md5sum_for(filename: str) -> str:
-    return hashlib.md5(
-        open(filename, "rb").read(),
-    ).hexdigest()
-
-
 def sha256sum_for(filename: str) -> str:
     """Returns SHA-256 checksum for filename."""
     return hashlib.sha256(open(filename, "rb").read()).hexdigest()
@@ -235,7 +229,6 @@ def build_file_dict(
         "description": add_desc,
         "is_source": os_pk == 3,
         "url": download_root + f"{base_version(release)}/{rfile}",
-        "md5_sum": md5sum_for(filename),
         "sha256_sum": sha256sum_for(filename),
         "filesize": filesize_for(filename),
         "download_button": add_download,
diff --git a/release.py b/release.py
@@ -590,11 +590,11 @@ def tarball(source: str, clamp_mtime: str) -> None:
     )
     print("Making .tar.xz")
     run_cmd(["tar", "cJf", xz, *repro_options, source])
-    print("Calculating md5 sums")
-    checksum_tgz = hashlib.md5()
+    print("Calculating SHA-256 sums")
+    checksum_tgz = hashlib.sha256()
     with open(tgz, "rb") as data:
         checksum_tgz.update(data.read())
-    checksum_xz = hashlib.md5()
+    checksum_xz = hashlib.sha256()
     with open(xz, "rb") as data:
         checksum_xz.update(data.read())
     print(f"  {checksum_tgz.hexdigest()}  {os.path.getsize(tgz):8}  {tgz}")
diff --git a/tests/test_add_to_pydotorg.py b/tests/test_add_to_pydotorg.py
@@ -70,7 +70,6 @@ def test_build_file_dict(tmp_path: Path) -> None:
         "description": "Test description",
         "is_source": False,
         "url": f"{release_url}/test-artifact.txt",
-        "md5_sum": "3e25960a79dbc69b674cd4ec67a72c62",
         "sha256_sum": "64ec88ca00b268e5ba1a35678a1b5316d212f4f366b2477232534a8aeca37f3c",
         "filesize": 11,
         "download_button": True,
diff --git a/tests/test_sbom.py b/tests/test_sbom.py
@@ -111,7 +111,6 @@ def test_fetch_project_metadata_from_pypi(mocker):
                 {
                     "digests": {
                         "blake2b_256": "94596638090c25e9bc4ce0c42817b5a234e183872a1129735a9330c472cc2056",
-                        "md5": "1331aabb4d1a2677f493effeebda3605",
                         "sha256": "ea9bd1a847e8c5774a5777bb398c19e80bcd4e2aa16a4b301b718fe6f593aba2",
                     },
                     "filename": "pip-24.0.tar.gz",
@@ -121,7 +120,6 @@ def test_fetch_project_metadata_from_pypi(mocker):
                 {
                     "digests": {
                         "blake2b_256": "8a6a19e9fe04fca059ccf770861c7d5721ab4c2aebc539889e97c7977528a53b",
-                        "md5": "74e3c5e4082113b1239ca0e9abfd1e82",
                         "sha256": "ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc",
                     },
                     "filename": "pip-24.0-py3-none-any.whl",
