[Buildroot] [PATCH 1/6] python-urwid: bump version and add checksums

Peter Korsgaard peter at korsgaard.com
Wed Sep 16 09:09:05 UTC 2015


>>>>> "Baruch" == Baruch Siach <baruch at tkos.co.il> writes:

Hi,

 >> Yeah, the upstream pypi hash URLs are kind of odd. These are the
 >> official links though.

 > The .hash file is all about trust, IMO. Seeing md5 that is an identity 
 > function of the URL just makes me feel uneasy. The package URL at 
 > https://pypi.python.org/pypi/urwid/1.3.0 contains the same link (next to the 
 > file name), but it looks less easy to trick.

Yes, I agree. As long as we have a stronger hash locally computed it
isn't a big deal, but it would be good if the pypi guys could do
something more sensible. I'm not sure who to contact about that though.

-- 
Venlig hilsen,
Peter Korsgaard 


More information about the buildroot mailing list