[Distutils] Proposal: drop md5 for sha256
Tarek Ziadé
tarek at ziade.org
Tue Jul 3 17:00:50 CEST 2012
On 7/3/12 3:54 PM, Daniel Holth wrote:
> I'm going to implement this except I will replace the sha256: with a
> sha256= There is simply no realistic drawback.
I am -1000 for any change to the RECORD file hashes in PEP 376 unless
there's a clear use case.
> Strong hashing is a
> prerequisite for a trust path, and you avoid the need to even think
> about why it is OK in this specific circumstance that a weak hash is
> being used.
Sorry but I don't understand your use case.
What "strong", "weak" or "trust" means here ?
The use case we have is: we need a check sum for every file, that's all.
If you want to build a system where you can verify the origin of the files,
you need something like a public/private key system. Which is what --sign
is for.
Otherwise you're just going to make hashes longer for no apparent reason.
Cheers
Tarek
More information about the Distutils-SIG
mailing list