[Distutils] Proposal: drop md5 for sha256
Tarek Ziadé
tarek at ziade.org
Tue Jul 3 09:45:20 CEST 2012
On 7/3/12 9:42 AM, Bohuslav Kabrda wrote:
> ----- Original Message -----
>> I would like to amend the spec. The hash column of RECORD should be
>>
>> 'sha256:' + urlsafe_b64encode(hashlib.sha256(data))
>>
>> instead of the hopelessly obsolete md5. With a secure hash function,
>> you can digitally sign RECORD.
>>
> Signing packages does sound interesting, but what authority would sign them? The authors of the packages themselves?
Notice that there's already a --sign feature in Distutils, using gpg.
Hash in the RECORD file have nothing to do with making sure the package
is originated from developer X.
Its only purpose is to know if a file on the system was changed
Cheers
Tarek
More information about the Distutils-SIG
mailing list