[Distutils] Migrating Hashes from MD5 to SHA256
Donald Stufft
donald at stufft.io
Fri Jul 26 21:27:21 CEST 2013
On Jul 26, 2013, at 3:24 PM, Christian Heimes <christian at python.org> wrote:
> A couple of months ago I suggested a schema that includes MD5, SHA-2
> and file size:
>
> file.tar.gz#MD5=1234&SHA-256=abcd&filesize=5023
>
> That should work for old versions of setuptool and can easily be
> supported in new versions of pip and setuptools.
It won't work for old versions, it explicitly includes the end of line terminator and the #.
>
> A new hash sum scheme must include the possibility to add multiple and
> new hash algorithms. A download tool shall check the hash sum for all
> supported algorithms, too. I also like to see the file size in the
> scheme. It's useful to know the file size in preparation of the
> download. The file size validation mitigates some attack possibilities.
Right now that would break too much. I agree this is where we need to
get too but It'll likely need to wait for the new API in Warehouse.
>
> Christian
>
>
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130726/9ae19e11/attachment.pgp>
More information about the Distutils-SIG
mailing list