On 7/3/12 3:16 AM, Daniel Holth wrote:

I would like to amend the spec. The hash column of RECORD should be

'sha256:' + urlsafe_b64encode(hashlib.sha256(data))

instead of the hopelessly obsolete md5. With a secure hash function,
you can digitally sign RECORD.

The goal of the RECORD file is to make sure we know if a file was changed so installlers are aware of it when they want
to remove the project for instance.

It was not really intended to be some kind of security against an attack -- unless you have
attacks scenarri in mind ?


It would also make sense to allow RECORD to be omitted from RECORD.

why ? this file is part of the installation, and as said here : http://www.python.org/dev/peps/pep-0376/#record

" Notice that the RECORD file can't contain a hash of itself and is just mentioned here"

Cheers
Tarek

_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig