[Distutils] API CHANGE - Migrating from MD5 to SHA2, Take 2

holger krekel holger at merlinux.eu
Mon Dec 1 22:41:14 CET 2014 

On Mon, Dec 01, 2014 at 15:29 -0600, Ian Cordasco wrote:
> On Mon, Dec 1, 2014 at 3:23 PM, holger krekel <holger at merlinux.eu> wrote:
> > On Mon, Dec 01, 2014 at 12:45 -0600, Ian Cordasco wrote:
> >> On Mon, Dec 1, 2014 at 12:35 PM, Donald Stufft <donald at stufft.io> wrote:
> >> >
> >> >> On Dec 1, 2014, at 4:25 AM, holger krekel <holger at merlinux.eu> wrote:
> >> >>
> >> >> Hi Donald,
> >> >>
> >> >> On Sat, Nov 29, 2014 at 19:43 -0500, Donald Stufft wrote:
> >> >>>> On Nov 13, 2014, at 9:21 PM, Donald Stufft <donald at stufft.io> wrote:
> >> >>>>
> >> >>>> Starting a new thread with more explicit details at Richard’s request.
> >> >>>> Essentially the tl;dr here is that we'll switch to using sha2 (specifically
> >> >>>> sha256).
> >> >>>
> >> >>> Ping?
> >> >>>
> >> >>> Are we OK to make this change?
> >> >>
> >> >> sorry i didn't get back earlier.  Before the minor release of devpi-server
> >> >> last week i tried for two hours to change devpi-server to accomodate
> >> >> your planned pypi.python.org checksum changes.
> >> >>
> >> >> I found the change cannot easily be done without changes to the underlying
> >> >> database schema and thus needs a major new release of devpi-server because
> >> >> an export/import cycle is needed.  When doing that i also want to do
> >> >> some internal cleanup related to name normalization (and also relating
> >> >> to recent pypi.python.org changes) but i need a week or two i guess to
> >> >> do that.  However i now think that if you do the pypi.python.org checksum
> >> >> change it shouldn't directly break devpi-server but it would remove
> >> >> checksum checking.  I'd rather like to have a new major devpi-server
> >> >> release out when you do the change.  Is it ok for you to wait a bit still?
> >> >>
> >> >> best,
> >> >> holger
> >> >
> >> > Yes, we can wait a bit. I was just going over my TODO list and making sure
> >> > things weren’t getting lost in the shuffle.
> >>
> >> Holger,
> >>
> >> Is there anyway people on this list can help with the updates to devpi
> >> so that we can get this out sooner?
> >
> > Looking at devpi/server/devpi_server/extpypi.py and
> > devpi/server/devpi_server/model.py mainly and changing most places
> > where "md5" is found in the source and adapting related tests.
> >
> > Is there a specific reason you are in a hurry if i may ask?
> >
> > best,
> > holger
> 
> No real hurry. I just like helping out when there's an opening and
> this thread has been around for a short while already. Given the topic
> is related to the security of PyPI and its users, I'd like to help
> move that forward if possible. That's all. (It's mostly me being
> selfish.)

Quite an empathic form of selfishness.  If you want to check things out
and have questions please feel free to ask maybe privately.

holger

More information about the Distutils-SIG mailing list