Ideally the authors would sign them with GPG imo. Which is already
possible.

On Tuesday, July 3, 2012 at 3:42 AM, Bohuslav Kabrda wrote:

----- Original Message -----
I would like to amend the spec. The hash column of RECORD should be

'sha256:' + urlsafe_b64encode(hashlib.sha256(data))

instead of the hopelessly obsolete md5. With a secure hash function,
you can digitally sign RECORD.

Signing packages does sound interesting, but what authority would sign them? The authors of the packages themselves?

It would also make sense to allow RECORD to be omitted from RECORD.
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org

--
Regards,
Bohuslav "Slavek" Kabrda.
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig