![](https://secure.gravatar.com/avatar/ebf132362b622423ed5baca2988911b8.jpg?s=120&d=mm&r=g)
On Jul 26, 2013, at 3:24 PM, Christian Heimes <christian@python.org> wrote:
A couple of months ago I suggested a schema that includes MD5, SHA-2 and file size:
file.tar.gz#MD5=1234&SHA-256=abcd&filesize=5023
That should work for old versions of setuptool and can easily be supported in new versions of pip and setuptools.
It won't work for old versions, it explicitly includes the end of line terminator and the #.
A new hash sum scheme must include the possibility to add multiple and new hash algorithms. A download tool shall check the hash sum for all supported algorithms, too. I also like to see the file size in the scheme. It's useful to know the file size in preparation of the download. The file size validation mitigates some attack possibilities.
Right now that would break too much. I agree this is where we need to get too but It'll likely need to wait for the new API in Warehouse.
Christian
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA