[Distutils] Proposal: drop md5 for sha256
Bohuslav Kabrda
bkabrda at redhat.com
Tue Jul 3 09:49:59 CEST 2012
----- Original Message -----
> On 7/3/12 9:42 AM, Bohuslav Kabrda wrote:
> > ----- Original Message -----
> >> I would like to amend the spec. The hash column of RECORD should
> >> be
> >>
> >> 'sha256:' + urlsafe_b64encode(hashlib.sha256(data))
> >>
> >> instead of the hopelessly obsolete md5. With a secure hash
> >> function,
> >> you can digitally sign RECORD.
> >>
> > Signing packages does sound interesting, but what authority would
> > sign them? The authors of the packages themselves?
>
> Notice that there's already a --sign feature in Distutils, using gpg.
>
Ah, I didn't know about that.
> Hash in the RECORD file have nothing to do with making sure the
> package
> is originated from developer X.
> Its only purpose is to know if a file on the system was changed
>
Well, since there is the --sign feature, I totally agree that md5 is sufficient for making checksums.
>
> Cheers
> Tarek
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
>
--
Regards,
Bohuslav "Slavek" Kabrda.
More information about the Distutils-SIG
mailing list