[Distutils] Removing wheel signing features from the wheel library
Thomas Kluyver
thomas at kluyver.me.uk
Thu Mar 22 17:56:57 EDT 2018
On Thu, Mar 22, 2018, at 9:25 PM, alex.gronholm at nextday.fi wrote:
> I've been wondering about something – zip files already contain CRC
> based checksums for each the stored file. What benefit is there in
> storing a RECORD file which basically duplicates this functionality?
In terms of providing a foundation for security checks, I think CRC
checksums are insufficient - they are meant to detect random data
corruption, not a deliberate effort to make a malicious file.
You could simply use a cryptographic hash of the entire wheel zip file.
I guess the advantage of storing file hashes in RECORD is that they can
be checked against the installed code, not just the wheel package.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180322/692f2abc/attachment.html>
More information about the Distutils-SIG
mailing list