Ideally the authors would sign them with GPG imo. Which is already possible.
On Tuesday, July 3, 2012 at 3:42 AM, Bohuslav Kabrda wrote: > ----- Original Message ----- > > I would like to amend the spec. The hash column of RECORD should be > > > > 'sha256:' + urlsafe_b64encode(hashlib.sha256(data)) > > > > instead of the hopelessly obsolete md5. With a secure hash function, > > you can digitally sign RECORD. > > > > > Signing packages does sound interesting, but what authority would sign them? > The authors of the packages themselves? > > > It would also make sense to allow RECORD to be omitted from RECORD. > > _______________________________________________ > > Distutils-SIG maillist - [email protected] > > (mailto:[email protected]) > > http://mail.python.org/mailman/listinfo/distutils-sig > > > > > -- > Regards, > Bohuslav "Slavek" Kabrda. > _______________________________________________ > Distutils-SIG maillist - [email protected] > (mailto:[email protected]) > http://mail.python.org/mailman/listinfo/distutils-sig > >
_______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
