[Distutils] Migrating Hashes from MD5 to SHA256
Donald Stufft
donald at stufft.io
Fri Jul 26 22:45:41 CEST 2013
On Jul 26, 2013, at 2:33 PM, PJ Eby <pje at telecommunity.com> wrote:
> Anyway, this is all somewhat moot since the hashes only matter when
> the download is hosted somewhere besides PyPI, since SSL verification
> is available for the PyPI part. Even so, I'd suggest that moving to
> SHA1 might be a good intermediate step: it's available on Python 2.3,
> so I could backport the relevant support to the 0.6 branch. (IIUC,
> Python 2.3 is still the default version for many Linux distros that
> have not reached end-of-life support.)
I think RHEL is the one that will support things the longest. As far as I
can tell Python 2.3 was default in RHEL4 and RHEL5 used Python 2.4
ELS support for RHEL4 ends Feb of 2015, so that's roughly a year and
a half till not even Red Hat supports Python 2.3 anymore that I can tell?
It also appears that support for new installations ended roughly a year
and a half ago.
Many (most?) projects no longer support Python 2.3 on PyPI, and I
seriously doubt that there is a significant number of people who both
want the stability provided by RHEL and is willing to continue using a
release that is this close to being EOL'd while simultaneously wanting
to download things from PyPI. CPython hasn't supported Python 2.3
in years.
Basically If RHEL customers want the security updates they should
bother Red Hat for them, that's part of why they pay for RHEL instead
of going with a free system. I don't think it's appropriate to allow a
handful of people who might still be on a version of python first
released 10 years ago and last released 8 years ago to negatively
impact everyone else.
Note: I don't use RHEL so my understanding of it's life cycle is from
reading their support page.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130726/35b60f68/attachment.pgp>
More information about the Distutils-SIG
mailing list