----- Original Message ----- > On 7/3/12 9:42 AM, Bohuslav Kabrda wrote: > > ----- Original Message ----- > >> I would like to amend the spec. The hash column of RECORD should > >> be > >> > >> 'sha256:' + urlsafe_b64encode(hashlib.sha256(data)) > >> > >> instead of the hopelessly obsolete md5. With a secure hash > >> function, > >> you can digitally sign RECORD. > >> > > Signing packages does sound interesting, but what authority would > > sign them? The authors of the packages themselves? > > Notice that there's already a --sign feature in Distutils, using gpg. >
Ah, I didn't know about that. > Hash in the RECORD file have nothing to do with making sure the > package > is originated from developer X. > Its only purpose is to know if a file on the system was changed > Well, since there is the --sign feature, I totally agree that md5 is sufficient for making checksums. > > Cheers > Tarek > _______________________________________________ > Distutils-SIG maillist - [email protected] > http://mail.python.org/mailman/listinfo/distutils-sig > -- Regards, Bohuslav "Slavek" Kabrda. _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
