I am just re-using record in wheel files so I can implement a verify function someday. Pay no attention to this backward-compatible change. You can use the checksum you prefer, and if it does not begin with hashfunc= then you know it's an md5.
No discussion about adding provides-extra and the reserved extra names for python setup.py test? How about that the environment markers spec says you can use == but (naked version number) (4.0) is the only example given for "exactly this version"? And why is pkg-info called metadata now anyway? Daniel Holth On Jul 3, 2012, at 11:10 AM, Éric Araujo <[email protected]> wrote: > Le 03/07/2012 10:53, Tarek Ziadé a écrit : >> On 7/3/12 4:32 PM, PJ Eby wrote: >>> No, because that's not what the RECORD hashes are for. It's not an >>> intrusion detection system, it's an installer conflict and "oops I >>> edited the wrong file" checker. >>> >>> People who are upset because md5 is low security are correctly >>> understanding that this system *provides no security*. We are not >>> promising ANY security, so *not* using a secure hash is actually >>> preferable. The goal is data integrity against accidental overwrite >>> by dumb installer tools (e.g. distutils) and accidental edits, not >>> security against malicious tampering. > > Exactly. Promises of false security do not help users. > >> Yeah I don't really understand this debate over md5 hashes here. I >> suggest that we emphasis in PEP 376 the fact that the sole purpose is to >> have a checksum. > > Putting that on my list of editions for the PEPs! > > Cheers > _______________________________________________ > Distutils-SIG maillist - [email protected] > http://mail.python.org/mailman/listinfo/distutils-sig _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
