Ideally the authors would sign them with GPG imo. Which is already

On Tuesday, July 3, 2012 at 3:42 AM, Bohuslav Kabrda wrote:

----- Original Message -----
I would like to amend the spec. The hash column of RECORD should be

'sha256:' + urlsafe_b64encode(hashlib.sha256(data))

instead of the hopelessly obsolete md5. With a secure hash function,
you can digitally sign RECORD.

Signing packages does sound interesting, but what authority would sign them? The authors of the packages themselves?

It would also make sense to allow RECORD to be omitted from RECORD.
Distutils-SIG maillist -

Bohuslav "Slavek" Kabrda.
Distutils-SIG maillist -