On Jul 3, 2013, at 2:19 PM, PJ Eby <p...@telecommunity.com> wrote:
> On Wed, Jul 3, 2013 at 10:51 AM, Vinay Sajip <vinay_sa...@yahoo.co.uk> wrote:
>> If you deserialize the JSON at an URL like the above into a dict, the PEP
>> 426 metadata is available in the subdict at key "index-metadata" in the
>> top-level dict. Example from setuptools 0.7.5:
>>
>> "index-metadata": {
>> ....
>> "name": "setuptools"
>> },
>>
>> I expect this metadata to track the PEP as changes to it are published.
>> Currently, the top-level dict contains some legacy representations of the
>> metadata which will be removed in due course.
>
> Just an FYI, not sure if this is an issue with your converter or with
> the new spec, but the metadata shown for setuptools is missing
> something important: 0.7.x pins specific distributions of its
> dependencies using dependency_links URLs with #md5 hashes, so that SSL
> support can be installed in a reasonably secure manner, as long as
> you're starting from a trusted copy of the distribution. The
> converted metadata you show lacks this pinning.
>
> Granted, the pinning is somewhat kludged, and the specific need is
> perhaps a rare use case outside of installer tools themselves. But I
> thought it worth pointing out as a limitation of either the converter
> or with the spec itself in relation to version support.
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG@python.org
> http://mail.python.org/mailman/listinfo/distutils-sigPEP426 does not support dependency_links. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
