Am 08.03.2013 12:49, schrieb M.-A. Lemburg: > Together with the added hash tag on the download file URLs (*), > this would solve the availability and the security aspects. > Instead of deprecating external links altogether, we could then > deprecate non-compliant download links and get an overall > very flexible system for Python package distribution. > > (*) Yes, I know, I still have to deliver the updated proposal - > been working on getting our indexes ready to serve as example :-)
How does your proposal look like? I like to propose query string-like key/value pairs. key/value pairs are more flexible and allow us to add/remove new information in the future. I also propose that we add the file size in octets (bytes with 8bits in each byte) to the fragment identifier. File size validation prohibits e.g. length extension attacks. It is useful to download tools. I know that HTTP servers usually set a Content-Length header for static files. But the header is set by the CDN while the information in the fragment identifier shall come from PyPI's internal database. Example: defusedxml-0.4.tar.gz#md5=09873c31ce773d48b8a4759571655a2c&sha1=33821e6891e3fc3829f5a238a93490f939533d62&octets=48324 Christian _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
