[Distutils] Proposal: drop md5 for sha256

[Daniel Holth]

I am just re-using record in wheel files so I can implement a verify function someday. Pay no attention to this backward-compatible change. You can use the checksum you prefer, and if it does not begin with hashfunc= then you know it's an md5.

No discussion about adding provides-extra and the reserved extra names for python setup.py test? How about that the environment markers spec says you can use == but (naked version number) (4.0) is the only example given for "exactly this version"?

And why is pkg-info called metadata now anyway?

Daniel Holth

On Jul 3, 2012, at 11:10 AM, Éric Araujo <merwok at netwok.org> wrote:

> Le 03/07/2012 10:53, Tarek Ziadé a écrit :
>> On 7/3/12 4:32 PM, PJ Eby wrote:
>>> No, because that's not what the RECORD hashes are for.  It's not an
>>> intrusion detection system, it's an installer conflict and "oops I
>>> edited the wrong file" checker.
>>> 
>>> People who are upset because md5 is low security are correctly
>>> understanding that this system *provides no security*.  We are not
>>> promising ANY security, so *not* using a secure hash is actually
>>> preferable.  The goal is data integrity against accidental overwrite
>>> by dumb installer tools (e.g. distutils) and accidental edits, not
>>> security against malicious tampering.
> 
> Exactly.  Promises of false security do not help users.
> 
>> Yeah I don't really understand this debate over md5 hashes here. I
>> suggest that we emphasis in PEP 376 the fact that the sole purpose is to
>> have a checksum.
> 
> Putting that on my list of editions for the PEPs!
> 
> Cheers
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig