<div>
                    Ideally the authors would sign them with GPG imo. Which is already
                </div><div>possible.</div>
                <div></div>
                 
                <p style="color: #A0A0A8;">On Tuesday, July 3, 2012 at 3:42 AM, Bohuslav Kabrda wrote:</p>
                <blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
                    <span><div><div><div>----- Original Message -----</div><blockquote type="cite"><div><div>I would like to amend the spec. The hash column of RECORD should be</div><div><br></div><div>'sha256:' + urlsafe_b64encode(hashlib.sha256(data))</div><div><br></div><div>instead of the hopelessly obsolete md5. With a secure hash function,</div><div>you can digitally sign RECORD.</div></div></blockquote><div><br></div><div>Signing packages does sound interesting, but what authority would sign them? The authors of the packages themselves?</div><div><br></div><blockquote type="cite"><div><div>It would also make sense to allow RECORD to be omitted from RECORD.</div><div>_______________________________________________</div><div>Distutils-SIG maillist  -  <a href="mailto:Distutils-SIG@python.org">Distutils-SIG@python.org</a></div><div><a href="http://mail.python.org/mailman/listinfo/distutils-sig">http://mail.python.org/mailman/listinfo/distutils-sig</a></div></div></blockquote><div><br></div><div>-- </div><div>Regards,</div><div>Bohuslav "Slavek" Kabrda.</div><div>_______________________________________________</div><div>Distutils-SIG maillist  -  <a href="mailto:Distutils-SIG@python.org">Distutils-SIG@python.org</a></div><div><a href="http://mail.python.org/mailman/listinfo/distutils-sig">http://mail.python.org/mailman/listinfo/distutils-sig</a></div></div></div></span>
                 
                 
                 
                 
                </blockquote>
                 
                <div>
                    <br>
                </div>