On 08.03.2013 20:52, Noah Kantrowitz wrote: > > On Mar 8, 2013, at 4:50 AM, M.-A. Lemburg wrote: > >> On 08.03.2013 13:15, Christian Heimes wrote: >>> Am 08.03.2013 12:49, schrieb M.-A. Lemburg: >>>> Together with the added hash tag on the download file URLs (*), >>>> this would solve the availability and the security aspects. >>>> Instead of deprecating external links altogether, we could then >>>> deprecate non-compliant download links and get an overall >>>> very flexible system for Python package distribution. >>>> >>>> (*) Yes, I know, I still have to deliver the updated proposal - >>>> been working on getting our indexes ready to serve as example :-) >>> >>> How does your proposal look like? >> >> Here's the first version with the basic idea: >> >> http://wiki.python.org/moin/PyPI/DownloadMetaDataProposal >> >> After the feedback I got from Holger and Phillip, I'm currently >> writing a new version, which drops some of the unneeded >> requirements and spells out a few more things. >> >> Here's a very short version... >> >> Installers are modified: >> >> * to only follow rel="download" links from the /simple/ index page, >> which have a hash tag (e.g. #md5=...) >> * will only use the fetched download page if its contents match >> the hash tag >> * scan that page for rel="download" links, which again have to >> have a hash tag to be taken into account >> * only install files for which the hash tag matches the >> downloaded content >> >> This should provide a good way to make sure that the downloaded >> files are indeed under control of the package maintainer. > > MD5 is _not_ acceptable for anything security related and we shouldn't be > adding anything that increases our dependence on it. MD5's only use in the > packaging world is to make people who forget that TCP has its own checksums > feel all warm and fuzzy that there hasn't been _accidental_ download > corruption.
I was only using the existing md5 hash tags as example. Tools should migrate to support all hashlib algorithms (pip already does), so the hash tag can be e.g. #sha1=... or #sha256=... For Python 2.4 only md5 and sha1 would work, since it didn't come with a hashlib module. With the extension mechanism Christian proposed, we can also add all sorts of other things as well, e.g. size indications, GPG key ID, GPG sigs, etc. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Mar 07 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
