2009/7/2 Joachim Strömbergson <joac...@strombergson.com>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Aloha! > > Richard Brodie wrote: >> "Joachim Str�mbergson" <joac...@strombergson.com> wrote in message >> news:mailman.2422.1246418400.8015.python-l...@python.org... >> >>> Even so, choosing md5 in 2009 for something that (hopefully) will be >>> used in years is a bad design decision. It creates a dependency for to >>> an algorithm that all sensible recommendations point you to move away >>> from. >> >> Why not write the field as algorithm:value? >> >> e.g. sha1:8590b685654367e3eba70dc00df7e45e88c21da4 >> >> Installers can fallback to using hashlib.new(), so you can plug in a new >> algorithm without changing the PEP or the installer code. > > +1 > > Good idea and future proof as well as being simple.
The prefix is a good idea but since it's just a checksum to control that the file hasn't changed what's wrong with using a weak hash algorithm like md5 or now sha1 ? If someone wants to modify a file of a distribution he can recreate the checksum as well, the only secured way to prevent that would be to use gpg keys but isn't that overkill for what we need ? e.g. making sure a file wasn't modified when distutils uninstalls a distribution. Tarek -- http://mail.python.org/mailman/listinfo/python-list
