On 7/3/12 3:54 PM, Daniel Holth wrote:
I'm going to implement this except I will replace the sha256: with a sha256= There is simply no realistic drawback.
I am -1000 for any change to the RECORD file hashes in PEP 376 unless there's a clear use case.
Strong hashing is a prerequisite for a trust path, and you avoid the need to even think about why it is OK in this specific circumstance that a weak hash is being used. Sorry but I don't understand your use case.
What "strong", "weak" or "trust" means here ? The use case we have is: we need a check sum for every file, that's all. If you want to build a system where you can verify the origin of the files, you need something like a public/private key system. Which is what --sign is for. Otherwise you're just going to make hashes longer for no apparent reason. Cheers Tarek