Ideally the authors would sign them with GPG imo. Which is already possible. On Tuesday, July 3, 2012 at 3:42 AM, Bohuslav Kabrda wrote:
----- Original Message -----
I would like to amend the spec. The hash column of RECORD should be
'sha256:' + urlsafe_b64encode(hashlib.sha256(data))
instead of the hopelessly obsolete md5. With a secure hash function, you can digitally sign RECORD.
Signing packages does sound interesting, but what authority would sign them? The authors of the packages themselves?
It would also make sense to allow RECORD to be omitted from RECORD. _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org (mailto:Distutils-SIG@python.org) http://mail.python.org/mailman/listinfo/distutils-sig
-- Regards, Bohuslav "Slavek" Kabrda. _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org (mailto:Distutils-SIG@python.org) http://mail.python.org/mailman/listinfo/distutils-sig