July 3, 2012
7:45 a.m.
On 7/3/12 9:42 AM, Bohuslav Kabrda wrote:
----- Original Message -----
I would like to amend the spec. The hash column of RECORD should be
'sha256:' + urlsafe_b64encode(hashlib.sha256(data))
instead of the hopelessly obsolete md5. With a secure hash function, you can digitally sign RECORD.
Signing packages does sound interesting, but what authority would sign them? The authors of the packages themselves?
Notice that there's already a --sign feature in Distutils, using gpg. Hash in the RECORD file have nothing to do with making sure the package is originated from developer X. Its only purpose is to know if a file on the system was changed Cheers Tarek