On Tuesday, July 3, 2012 at 3:45 AM, Tarek Ziadé wrote: > > Hash in the RECORD file have nothing to do with making sure the package > is originated from developer X. > Its only purpose is to know if a file on the system was changed > Using sha256 would enable preventing someone from maliciously changing the file. Similar to how IDS systems capture hashes of binaries to compare against. Of course someone using the system like this would need to protect the filesystem storing the RECORD files accordingly.
I also think that switching to sha256 is pretty low cost with minimal (no?) downsides with some possible upsides. Is there a reason to stay with md5?
_______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
