PEP 376
Tarek Ziadé
ziade.tarek at gmail.com
Thu Jul 2 07:55:30 EDT 2009
2009/7/2 Joachim Strömbergson <Joachim at strombergson.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Aloha!
>
> Richard Brodie wrote:
>> "Joachim Str�mbergson" <Joachim at Strombergson.com> wrote in message
>> news:mailman.2422.1246418400.8015.python-list at python.org...
>>
>>> Even so, choosing md5 in 2009 for something that (hopefully) will be
>>> used in years is a bad design decision. It creates a dependency for to
>>> an algorithm that all sensible recommendations point you to move away
>>> from.
>>
>> Why not write the field as algorithm:value?
>>
>> e.g. sha1:8590b685654367e3eba70dc00df7e45e88c21da4
>>
>> Installers can fallback to using hashlib.new(), so you can plug in a new
>> algorithm without changing the PEP or the installer code.
>
> +1
>
> Good idea and future proof as well as being simple.
The prefix is a good idea but since it's just a checksum to control
that the file hasn't changed
what's wrong with using a weak hash algorithm like md5 or now sha1 ?
If someone wants to modify a file of a distribution he can recreate
the checksum as well,
the only secured way to prevent that would be to use gpg keys but
isn't that overkill for what we need ?
e.g. making sure a file wasn't modified when distutils uninstalls a
distribution.
Tarek
More information about the Python-list
mailing list