[Distutils] New buildout options: checksums and allow-omitted-checksums
Thomas Lotze
thomas at thomas-lotze.de
Fri Mar 18 14:43:08 CET 2011
Marius Gedminas wrote:
> Please don't hardcode the checksum algorithm to MD5. Security researchers
> have been telling everyone to stop using MD5 (and SHA1) for a while now.
Good point. All this talking about MD5 specifically has been due to the
fact that this is what used to be used by the download API and the
gocep.download recipe so far. To take up the idea I posted a few minutes
ago, one might specify checksums like this:
[checksums]
foo = http://example.org/foo.tgz algorithm:checksum-value
Since the checksum would be evaluated by the download API itself, many
checksum algorithms could be used since adding another algorithm in this
one place would add it consistently to all pieces of buildout and recipes
that download things.
--
Thomas
More information about the Distutils-SIG
mailing list