On 28 July 2013 20:55, Donald Stufft <don...@stufft.io> wrote: > Ok so given that: > > - There's a readably available solution for Python 2.4+ with the > likelihood > being that most users are either using it or using an older version > which > doesn't support SSL. > - The number of folks likely to be on Python 2.3 and wanting to install > things > from PyPI is likely to be very small. > - There's possibly a future solution for Python 2.3 > - The safety margins for MD5 are gone and cryptographers heavily suggest > moving away from it. > - A revised scheme will break backwards compatibility with the versions of > the tooling that do support a stronger hash. > > I'm going to go ahead and make this change unless someone comes out and > contests moving PyPI to SHA256. I'll give it a bit to make sure no one does > have an issue with the move.
+1, this sounds like a good way forward for the existing PyPI interfaces. We can do something better once the focus shifts from "make the status quo not broken" to making the next generation interfaces a reality (PEP 426 et al). Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
