On 08.03.2013 20:16, PJ Eby wrote: > On Fri, Mar 8, 2013 at 7:50 AM, M.-A. Lemburg <[email protected]> wrote: >> After the feedback I got from Holger and Phillip, I'm currently >> writing a new version, which drops some of the unneeded >> requirements and spells out a few more things. >> >> Here's a very short version... >> >> Installers are modified: >> >> * to only follow rel="download" links from the /simple/ index page, >> which have a hash tag (e.g. #md5=...) >> * will only use the fetched download page if its contents match >> the hash tag >> * scan that page for rel="download" links, which again have to >> have a hash tag to be taken into account >> * only install files for which the hash tag matches the >> downloaded content >> >> This should provide a good way to make sure that the downloaded >> files are indeed under control of the package maintainer. > > There is, as I said before, a MUCH simpler way to do this, that works > right now: put direct #md5 download links in your description, and > phase out the rel="" attributes altogether.
No, that would be a pretty poor design :-) The rel="" attributes are good design, since they were meant for exactly this purpose (machine reading and understanding relations between origin and target). -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Mar 07 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
