At 09:13 AM 7/13/2005 +0200, M.-A. Lemburg wrote: > > It looks like the issue is in bdist_egg.py, write_safety_flag, where > > an ensure_directory() call is needed. There's a patch for this below, > > as well. > >Talking about "safety": shouldn't this be addressed in a standard >way, ie. signed packages ?
"Zip safety" refers to whether the package can be safely installed as a zip file; i.e., whether the package is likely to work once it has been installed that way. It's not about "safety" in some security sense. >At the very least, I'd expect the downloader to compare an MD5 >checksum stored in PyPI with the one from the downloaded file. >Of course, using GPG and checking the signature based on the >public key of the author would be even better. At the moment, PyPI only stores MD5's and signatures for packages uploaded to PyPI itself, which is an extremely small minority of packages, so I haven't implemented this yet. However, easy_install runs fine on local files, so you can download and verify files before running easy_install on them. If somebody wants to contribute patches for MD5 and signing, that would certainly be nice. _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
