From fbdacc184f9b5106dfb79576edad9a63497ebd11 Mon Sep 17 00:00:00 2001
From: Laurent Monin <github@norz.org>
Date: Tue, 19 Sep 2023 14:00:11 +0200
Subject: [PATCH] Replace hashlib.md5() with hashlib.blake2b()

It is faster, and more secure.
---
 picard/coverart/image.py | 6 ++----
 picard/tagger.py         | 4 ++--
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/picard/coverart/image.py b/picard/coverart/image.py
index 8686992c616..b45b9c81d64 100644
--- a/picard/coverart/image.py
+++ b/picard/coverart/image.py
@@ -28,7 +28,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 
 
-from hashlib import md5
+from hashlib import blake2b
 import os
 import shutil
 import tempfile
@@ -77,9 +77,7 @@ def __init__(self, data, prefix='picard', suffix=''):
         self._filename = None
         _datafile_mutex.lock()
         try:
-            m = md5()  # nosec
-            m.update(data)
-            self._hash = m.hexdigest()
+            self._hash = blake2b(data).hexdigest()
             if self._hash not in _datafiles:
                 (fd, self._filename) = tempfile.mkstemp(prefix=prefix, suffix=suffix)
                 QObject.tagger.register_cleanup(self.delete_file)
diff --git a/picard/tagger.py b/picard/tagger.py
index f4c643c1993..439221bce06 100644
--- a/picard/tagger.py
+++ b/picard/tagger.py
@@ -47,7 +47,7 @@
 
 import argparse
 from functools import partial
-from hashlib import md5
+from hashlib import blake2b
 import logging
 import os
 import platform
@@ -1532,7 +1532,7 @@ def main(localedir=None, autoupdate=True):
     if picard_args.stand_alone_instance:
         identifier = uuid4().hex
     else:
-        identifier = md5(picard_args.config_file.encode('utf8')).hexdigest() if picard_args.config_file else 'main'  # nosec: B303
+        identifier = blake2b(picard_args.config_file.encode('utf8'), digest_size=16).hexdigest() if picard_args.config_file else 'main'  # nosec: B303
         identifier += '_NP' if picard_args.no_plugins else ''
 
     if picard_args.processable: