> And yes, attacks on md5 will only get better, so we should migrate to > better hashes in the future. But if there is something to be > embarrassed about, it's not the use of md5, but the lack of proper > code signing and trust paths between developers.
I'm going to implement this except I will replace the sha256: with a sha256= There is simply no realistic drawback. Strong hashing is a prerequisite for a trust path, and you avoid the need to even think about why it is OK in this specific circumstance that a weak hash is being used. _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
