[Distutils] Migrating Hashes from MD5 to SHA256

Donald Stufft donald at stufft.io
Sun Jul 28 19:30:45 CEST 2013

On Jul 28, 2013, at 8:31 AM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:

> Donald Stufft <donald <at> stufft.io> writes:
>> I'm going to go ahead and make this change unless someone comes out and
>> contests moving PyPI to SHA256. I'll give it a bit to make sure no one does
>> have an issue with the move.
> Your proposal is a little light on specification, unless I've missed it. For
> example:
> * How exactly will download URLs change? One would assume they'd have a
>  fragment of 'sha256=...', where they currently have 'md5=...', but can you
>  confirm this?

Yes they will change to have #sha256=…. instead of #md5=...

> * PyPI's XML-RPC API provides MD5 hashes in result dictionaries using a key
>  'md5_digest'. How will these result dictionaries change under your
>  proposal?

Here we are a little more flexible. I can leave the md5_digest key there and
simply add a sha256_digest key.

> * PyPI's web interface has actions such as 'show_md5', will these stop
>  working? (By actions, I mean query strings such as ':action=show_md5'.)
>  Will new actions be added?

Again more flexible. I can simply add a show_sha256 action.

> I'm not familiar with the change process for PyPI - what is the workflow?
> For example, are patches posted for review?

Typically it's left up to us. We often just work and deploy changes without
any review process but we can (and I have) get reviews before hand. The
biggest problem with Reviews is PyPI is a very messy codebase with very
few people who understand it so the pool of developers qualified to review
the code is very small.

On the warehouse side of things I don't develop directly on master everything
comes through pull requests and while there's no formal review process
A number of folks have been checking my PR's and making comments as
they deemed fit.

> Regards,
> Vinay Sajip
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130728/1fec0ca7/attachment.pgp>

More information about the Distutils-SIG mailing list