On Mon, Dec 01, 2014 at 15:29 -0600, Ian Cordasco wrote:
On Mon, Dec 1, 2014 at 3:23 PM, holger krekel
wrote: On Mon, Dec 01, 2014 at 12:45 -0600, Ian Cordasco wrote:
On Mon, Dec 1, 2014 at 12:35 PM, Donald Stufft
wrote: On Dec 1, 2014, at 4:25 AM, holger krekel
wrote: Hi Donald,
On Sat, Nov 29, 2014 at 19:43 -0500, Donald Stufft wrote:
> On Nov 13, 2014, at 9:21 PM, Donald Stufft
wrote: > > Starting a new thread with more explicit details at Richard’s request. > Essentially the tl;dr here is that we'll switch to using sha2 (specifically > sha256). Ping?
Are we OK to make this change?
sorry i didn't get back earlier. Before the minor release of devpi-server last week i tried for two hours to change devpi-server to accomodate your planned pypi.python.org checksum changes.
I found the change cannot easily be done without changes to the underlying database schema and thus needs a major new release of devpi-server because an export/import cycle is needed. When doing that i also want to do some internal cleanup related to name normalization (and also relating to recent pypi.python.org changes) but i need a week or two i guess to do that. However i now think that if you do the pypi.python.org checksum change it shouldn't directly break devpi-server but it would remove checksum checking. I'd rather like to have a new major devpi-server release out when you do the change. Is it ok for you to wait a bit still?
best, holger
Yes, we can wait a bit. I was just going over my TODO list and making sure things weren’t getting lost in the shuffle.
Holger,
Is there anyway people on this list can help with the updates to devpi so that we can get this out sooner?
Looking at devpi/server/devpi_server/extpypi.py and devpi/server/devpi_server/model.py mainly and changing most places where "md5" is found in the source and adapting related tests.
Is there a specific reason you are in a hurry if i may ask?
best, holger
No real hurry. I just like helping out when there's an opening and this thread has been around for a short while already. Given the topic is related to the security of PyPI and its users, I'd like to help move that forward if possible. That's all. (It's mostly me being selfish.)
Quite an empathic form of selfishness. If you want to check things out and have questions please feel free to ask maybe privately. holger