On 26 July 2013 00:37, Philip Jenvey wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
>
> On Jul 25, 2013, at 9:04 AM, Toshio Kuratomi wrote:
>
>> Over on python-dev we're talking about Linux Distributions switching from
>> python2 to python3, what steps they need to take and in what o
On 26 July 2013 21:31, Alex Burke wrote:
> On 26 July 2013 00:37, Philip Jenvey wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>>
>> On Jul 25, 2013, at 9:04 AM, Toshio Kuratomi wrote:
>>
>>> Over on python-dev we're talking about Linux Distributions switching from
>>> python2 to
PyPI has historically used MD5 in order to verify the downloads. However MD5 is
severely broken and is generally regarded as something that should be migrated
away from ASAP. From speaking with a number of cryptographers they've more or
less said that the major reason they believe that MD5 hasn'
On Fri, Jul 26, 2013 at 12:25 PM, Donald Stufft wrote:
> Additionally there is no security list from setuptools versions earlier than
> 0.7.
Not true, actually. Setuptools 0.6 dev releases supported SSL
verification since mid-May, but don't support any hashes besides MD5.
Anybody who updated th
PJ Eby telecommunity.com> writes:
>
> There's also another issue with jumping to SHA256: Python prior to 2.5
> didn't support it.
I'm not sure this is a particularly relevant concern. Python's prior to 2.5 are
no longer supported by the people who wrote them, or almost any major packages
(SQLA
On Jul 26, 2013, at 2:33 PM, PJ Eby wrote:
> On Fri, Jul 26, 2013 at 12:25 PM, Donald Stufft wrote:
>> Additionally there is no security list from setuptools versions earlier than
>> 0.7.
>
> Not true, actually. Setuptools 0.6 dev releases supported SSL
> verification since mid-May, but don'
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Am 26.07.2013 18:25, schrieb Donald Stufft:
> PyPI has historically used MD5 in order to verify the downloads.
> However MD5 is severely broken and is generally regarded as
> something that should be migrated away from ASAP. From speaking
> with a nu
On Jul 26, 2013, at 3:24 PM, Christian Heimes wrote:
> A couple of months ago I suggested a schema that includes MD5, SHA-2
> and file size:
>
> file.tar.gz#MD5=1234&SHA-256=abcd&filesize=5023
>
> That should work for old versions of setuptool and can easily be
> supported in new versions of
On Jul 26, 2013, at 09:58 PM, Nick Coghlan wrote:
>Not everybody uses generated script wrappers, though - if there is a
>hardcoded "/usr/bin/env python" or "/usr/bin/python" in a shebang
>line, the Python build tools won't touch it. There's also a whole lot
>of software that isn't packaged at all
On 26 July 2013 20:32, Barry Warsaw wrote:
> I love `#!/usr/bin/env python` *for development* but I really think its a
> bad
> thing to have for installed scripts. Certainly, for distro installed
> scripts,
> it's (usually) terrible. I think virtualenv installs are generally in the
> same boat
On Jul 26, 2013, at 08:38 PM, Paul Moore wrote:
>There are cases where it's useful and appropriate
Sure, I don't disagree. Just that I think the general rule should be:
* Use /usr/bin/env in your source tree
* Use /usr/bin/$python when installed
I think those rules cover the majority of cases.
On Jul 26, 2013, at 2:33 PM, PJ Eby wrote:
> Anyway, this is all somewhat moot since the hashes only matter when
> the download is hosted somewhere besides PyPI, since SSL verification
> is available for the PyPI part. Even so, I'd suggest that moving to
> SHA1 might be a good intermediate step
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07/26/2013 03:32 PM, Barry Warsaw wrote:
> If you're installing a script into a virtualenv, it's better to
> rewrite the shebang to use the executable that was used to install
> it.
Exactly -- the script likely won't run at all outside the environ
On Fri, Jul 26, 2013 at 3:14 PM, Donald Stufft wrote:
> Does the hashlib backport I added to
> setuptools 0.9 for Python 2.4 work on 2.3? It's a pure python
> implementation of hashlib.
Ah, didn't know about that! I can't imagine what problems there would
be; not much changed in 2.4 that can't b
On Jul 26, 2013, at 4:59 PM, PJ Eby wrote:
> On Fri, Jul 26, 2013 at 3:14 PM, Donald Stufft wrote:
>> Does the hashlib backport I added to
>> setuptools 0.9 for Python 2.4 work on 2.3? It's a pure python
>> implementation of hashlib.
>
> Ah, didn't know about that! I can't imagine what proble
On Fri, Jul 26, 2013 at 12:25:36PM -0400, Donald Stufft wrote:
> PyPI has historically used MD5 in order to verify the downloads. However MD5
> is severely broken and is generally regarded as something that should be
> migrated away from ASAP. From speaking with a number of cryptographers
> they
On Jul 26, 2013, at 8:55 PM, zooko wrote:
> On Fri, Jul 26, 2013 at 12:25:36PM -0400, Donald Stufft wrote:
>> PyPI has historically used MD5 in order to verify the downloads. However MD5
>> is severely broken and is generally regarded as something that should be
>> migrated away from ASAP. Fro
On 27 July 2013 06:59, PJ Eby wrote:
> On Fri, Jul 26, 2013 at 3:14 PM, Donald Stufft wrote:
>> Does the hashlib backport I added to
>> setuptools 0.9 for Python 2.4 work on 2.3? It's a pure python
>> implementation of hashlib.
>
> Ah, didn't know about that! I can't imagine what problems there
18 matches
Mail list logo
