[Distutils] Proposal: drop md5 for sha256
Donald Stufft
donald.stufft at gmail.com
Tue Jul 3 09:43:07 CEST 2012
Ideally the authors would sign them with GPG imo. Which is already
possible.
On Tuesday, July 3, 2012 at 3:42 AM, Bohuslav Kabrda wrote:
> ----- Original Message -----
> > I would like to amend the spec. The hash column of RECORD should be
> >
> > 'sha256:' + urlsafe_b64encode(hashlib.sha256(data))
> >
> > instead of the hopelessly obsolete md5. With a secure hash function,
> > you can digitally sign RECORD.
> >
>
>
> Signing packages does sound interesting, but what authority would sign them? The authors of the packages themselves?
>
> > It would also make sense to allow RECORD to be omitted from RECORD.
> > _______________________________________________
> > Distutils-SIG maillist - Distutils-SIG at python.org (mailto:Distutils-SIG at python.org)
> > http://mail.python.org/mailman/listinfo/distutils-sig
> >
>
>
> --
> Regards,
> Bohuslav "Slavek" Kabrda.
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org (mailto:Distutils-SIG at python.org)
> http://mail.python.org/mailman/listinfo/distutils-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20120703/eea556e5/attachment.html>
More information about the Distutils-SIG
mailing list