to, 2018-03-22 kello 21:56 +0000, Thomas Kluyver kirjoitti:
On Thu, Mar 22, 2018, at 9:25 PM, wrote:
I've been wondering about something – zip files already contain CRC based checksums for each the stored file. What benefit is there in storing a RECORD file which basically duplicates this functionality?

In terms of providing a foundation for security checks, I think CRC checksums are insufficient - they are meant to detect random data corruption, not a deliberate effort to make a malicious file.

If someone wanted to make a malicious file, what's preventing them from modifying the RECORD to match the modified file when there is no cryptographic signing involved?

You could simply use a cryptographic hash of the entire wheel zip file. I guess the advantage of storing file hashes in RECORD is that they can be checked against the installed code, not just the wheel package.
Distutils-SIG maillist  -