[Distutils] Migrating Hashes from MD5 to SHA256

Antoine Pitrou solipsis at pitrou.net
Sat Jul 27 19:47:52 CEST 2013

Donald Stufft <donald <at> stufft.io> writes:
> I don't think any claim can be made about the relative use between the
> two tools by looking at the download counts because their typical use is
> generally very different.

I'll try to phrase it more clearly then: I am not *comparing* their
relative use. I am simply pointing out that an extremely large number 
of people install setuptools separately. Whether or not they also use
virtualenv is completely irrelevent (but, of course, chances are
they don't: otherwise, as you say, they'd use the bundled versions).

> But sure you're right whatever does that make
> you feel better?

Now, please calm down...

> Are you trying to claim we shouldn't move to a stronger hash?

No, I'm just saying the possibility of regressions isn't as small
as you think based on a misinterpretation of how people actually
get setuptools installed (many of them get it directly from PyPI).

But, yes, we should of course move to something better than md5,
and ideally make the format flexible enough to avoid further
breakage when switching hashes again.



More information about the Distutils-SIG mailing list