Re: [Distutils] API CHANGE - Migrating from MD5 to SHA2, Take 2

1 Dec 2014


      On Mon, Dec 01, 2014 at 15:29 -0600, Ian Cordasco wrote:
...
On Mon, Dec 1, 2014 at 3:23 PM, holger krekel  wrote:
...
On Mon, Dec 01, 2014 at 12:45 -0600, Ian Cordasco wrote:
...
On Mon, Dec 1, 2014 at 12:35 PM, Donald Stufft  wrote:
...
...
On Dec 1, 2014, at 4:25 AM, holger krekel  wrote:
Hi Donald,
On Sat, Nov 29, 2014 at 19:43 -0500, Donald Stufft wrote:
...
> On Nov 13, 2014, at 9:21 PM, Donald Stufft  wrote:
>
> Starting a new thread with more explicit details at Richard’s request.
> Essentially the tl;dr here is that we'll switch to using sha2 (specifically
> sha256).
Ping?
Are we OK to make this change?
sorry i didn't get back earlier.  Before the minor release of devpi-server
last week i tried for two hours to change devpi-server to accomodate
your planned pypi.python.org checksum changes.
I found the change cannot easily be done without changes to the underlying
database schema and thus needs a major new release of devpi-server because
an export/import cycle is needed.  When doing that i also want to do
some internal cleanup related to name normalization (and also relating
to recent pypi.python.org changes) but i need a week or two i guess to
do that.  However i now think that if you do the pypi.python.org checksum
change it shouldn't directly break devpi-server but it would remove
checksum checking.  I'd rather like to have a new major devpi-server
release out when you do the change.  Is it ok for you to wait a bit still?
best,
holger
Yes, we can wait a bit. I was just going over my TODO list and making sure
things weren’t getting lost in the shuffle.
Holger,
Is there anyway people on this list can help with the updates to devpi
so that we can get this out sooner?
Looking at devpi/server/devpi_server/extpypi.py and
devpi/server/devpi_server/model.py mainly and changing most places
where "md5" is found in the source and adapting related tests.
Is there a specific reason you are in a hurry if i may ask?
best,
holger
No real hurry. I just like helping out when there's an opening and
this thread has been around for a short while already. Given the topic
is related to the security of PyPI and its users, I'd like to help
move that forward if possible. That's all. (It's mostly me being
selfish.)
Quite an empathic form of selfishness.  If you want to check things out
and have questions please feel free to ask maybe privately.

holger