On Jul 26, 2013, at 3:24 PM, Christian Heimes <christ...@python.org> wrote:
> A couple of months ago I suggested a schema that includes MD5, SHA-2 > and file size: > > file.tar.gz#MD5=1234&SHA-256=abcd&filesize=5023 > > That should work for old versions of setuptool and can easily be > supported in new versions of pip and setuptools. It won't work for old versions, it explicitly includes the end of line terminator and the #. > > A new hash sum scheme must include the possibility to add multiple and > new hash algorithms. A download tool shall check the hash sum for all > supported algorithms, too. I also like to see the file size in the > scheme. It's useful to know the file size in preparation of the > download. The file size validation mitigates some attack possibilities. Right now that would break too much. I agree this is where we need to get too but It'll likely need to wait for the new API in Warehouse. > > Christian > > ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
