[Distutils] Migrating Hashes from MD5 to SHA256
Donald Stufft
donald at stufft.io
Sun Jul 28 19:30:45 CEST 2013
On Jul 28, 2013, at 8:31 AM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:
> Donald Stufft <donald <at> stufft.io> writes:
>
>> I'm going to go ahead and make this change unless someone comes out and
>> contests moving PyPI to SHA256. I'll give it a bit to make sure no one does
>> have an issue with the move.
>
> Your proposal is a little light on specification, unless I've missed it. For
> example:
>
> * How exactly will download URLs change? One would assume they'd have a
> fragment of 'sha256=...', where they currently have 'md5=...', but can you
> confirm this?
Yes they will change to have #sha256=…. instead of #md5=...
>
> * PyPI's XML-RPC API provides MD5 hashes in result dictionaries using a key
> 'md5_digest'. How will these result dictionaries change under your
> proposal?
Here we are a little more flexible. I can leave the md5_digest key there and
simply add a sha256_digest key.
>
> * PyPI's web interface has actions such as 'show_md5', will these stop
> working? (By actions, I mean query strings such as ':action=show_md5'.)
> Will new actions be added?
Again more flexible. I can simply add a show_sha256 action.
>
> I'm not familiar with the change process for PyPI - what is the workflow?
> For example, are patches posted for review?
Typically it's left up to us. We often just work and deploy changes without
any review process but we can (and I have) get reviews before hand. The
biggest problem with Reviews is PyPI is a very messy codebase with very
few people who understand it so the pool of developers qualified to review
the code is very small.
On the warehouse side of things I don't develop directly on master everything
comes through pull requests and while there's no formal review process
A number of folks have been checking my PR's and making comments as
they deemed fit.
>
> Regards,
>
> Vinay Sajip
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130728/1fec0ca7/attachment.pgp>
More information about the Distutils-SIG
mailing list