On Mon, Dec 01, 2014 at 15:29 -0600, Ian Cordasco wrote: > On Mon, Dec 1, 2014 at 3:23 PM, holger krekel <hol...@merlinux.eu> wrote: > > On Mon, Dec 01, 2014 at 12:45 -0600, Ian Cordasco wrote: > >> On Mon, Dec 1, 2014 at 12:35 PM, Donald Stufft <don...@stufft.io> wrote: > >> > > >> >> On Dec 1, 2014, at 4:25 AM, holger krekel <hol...@merlinux.eu> wrote: > >> >> > >> >> Hi Donald, > >> >> > >> >> On Sat, Nov 29, 2014 at 19:43 -0500, Donald Stufft wrote: > >> >>>> On Nov 13, 2014, at 9:21 PM, Donald Stufft <don...@stufft.io> wrote: > >> >>>> > >> >>>> Starting a new thread with more explicit details at Richard’s request. > >> >>>> Essentially the tl;dr here is that we'll switch to using sha2 > >> >>>> (specifically > >> >>>> sha256). > >> >>> > >> >>> Ping? > >> >>> > >> >>> Are we OK to make this change? > >> >> > >> >> sorry i didn't get back earlier. Before the minor release of > >> >> devpi-server > >> >> last week i tried for two hours to change devpi-server to accomodate > >> >> your planned pypi.python.org checksum changes. > >> >> > >> >> I found the change cannot easily be done without changes to the > >> >> underlying > >> >> database schema and thus needs a major new release of devpi-server > >> >> because > >> >> an export/import cycle is needed. When doing that i also want to do > >> >> some internal cleanup related to name normalization (and also relating > >> >> to recent pypi.python.org changes) but i need a week or two i guess to > >> >> do that. However i now think that if you do the pypi.python.org > >> >> checksum > >> >> change it shouldn't directly break devpi-server but it would remove > >> >> checksum checking. I'd rather like to have a new major devpi-server > >> >> release out when you do the change. Is it ok for you to wait a bit > >> >> still? > >> >> > >> >> best, > >> >> holger > >> > > >> > Yes, we can wait a bit. I was just going over my TODO list and making > >> > sure > >> > things weren’t getting lost in the shuffle. > >> > >> Holger, > >> > >> Is there anyway people on this list can help with the updates to devpi > >> so that we can get this out sooner? > > > > Looking at devpi/server/devpi_server/extpypi.py and > > devpi/server/devpi_server/model.py mainly and changing most places > > where "md5" is found in the source and adapting related tests. > > > > Is there a specific reason you are in a hurry if i may ask? > > > > best, > > holger > > No real hurry. I just like helping out when there's an opening and > this thread has been around for a short while already. Given the topic > is related to the security of PyPI and its users, I'd like to help > move that forward if possible. That's all. (It's mostly me being > selfish.)
Quite an empathic form of selfishness. If you want to check things out and have questions please feel free to ask maybe privately. holger _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
