On Jul 28, 2013, at 8:31 AM, Vinay Sajip <vinay_sa...@yahoo.co.uk> wrote:
> Donald Stufft <donald <at> stufft.io> writes: > >> I'm going to go ahead and make this change unless someone comes out and >> contests moving PyPI to SHA256. I'll give it a bit to make sure no one does >> have an issue with the move. > > Your proposal is a little light on specification, unless I've missed it. For > example: > > * How exactly will download URLs change? One would assume they'd have a > fragment of 'sha256=...', where they currently have 'md5=...', but can you > confirm this? Yes they will change to have #sha256=…. instead of #md5=... > > * PyPI's XML-RPC API provides MD5 hashes in result dictionaries using a key > 'md5_digest'. How will these result dictionaries change under your > proposal? Here we are a little more flexible. I can leave the md5_digest key there and simply add a sha256_digest key. > > * PyPI's web interface has actions such as 'show_md5', will these stop > working? (By actions, I mean query strings such as ':action=show_md5'.) > Will new actions be added? Again more flexible. I can simply add a show_sha256 action. > > I'm not familiar with the change process for PyPI - what is the workflow? > For example, are patches posted for review? Typically it's left up to us. We often just work and deploy changes without any review process but we can (and I have) get reviews before hand. The biggest problem with Reviews is PyPI is a very messy codebase with very few people who understand it so the pool of developers qualified to review the code is very small. On the warehouse side of things I don't develop directly on master everything comes through pull requests and while there's no formal review process A number of folks have been checking my PR's and making comments as they deemed fit. > > Regards, > > Vinay Sajip > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > http://mail.python.org/mailman/listinfo/distutils-sig ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
