On Wed, Jun 5, 2013 at 2:47 PM, Donald Stufft <don...@stufft.io> wrote: > One of the big problems with download_url is that the data in setup.py is > used in (and influences the content of) the final dist file. This means that > inside of a setup.py you won't know what the hash of the final file is. So > it's difficult for a setup.py based workflow with external urls to provide > md5 sums for the files which means that pip and friends can't verify that no > body modified the download in transit.
Not if it's done in a setup.py command that runs after the distributions are built, akin to the way the upload command works now. If there were, say, an "uplink" command based on a modified version of upload, it could call the PyPI API to pass along hashed URLs. At some point I intend to write such a command so that my current snapshot scripts (which run on the server the downloads are hosted from) can update PyPI with properly hashed URLs. (But I'm not sure when "some point" will be, exactly, so if someone else writes it first I'll be a happy camper.) _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
