[robee]

The HMAC library in Python still uses MD5 (http://docs.python.org/library/hmac.html) which is known to be exploitable with hash collisions. My opinion is that its not too difficult to roll a MAC setup using some SHA based hash.

[adambard]

The constructor for the Python HMAC library just defaults to MD5; you can pass any of the hashlib modules to it via the digestmod parameter. I don't know why it doesn't default to something more secure, but it's no challenge to do.