On 11.05.2014 16:48, Paul Moore wrote: > On 11 May 2014 13:47, Donald Stufft <[email protected]> wrote: >>> https://pypi.python.org/simple/egenix-mx-base/ has verifiable external >>> links. I'm pretty surprised that Donald hasn't heard of mx-base. >> >> egenix-mx-base does not have verifiable external links.Verifiable external >> links must be both directly linked to from the /simple/ index page and >> must include a hash. egenix-mx-base does not do this. > > OK, that clarifies that, and also makes it clear that what constitutes > "safe" is not immediately obvious (something you've been saying a lot, > but which never eally hit home to me before). > > So, some questions: > > 1. Is MAL aware that egenix-mx-base is not verifiably externally > hosted[1], and if so, what is he asking for? Automatic download with > no need for opt-in of unverifiable external downloads? That seems > pretty much in conflict with the whole intent of PEP 438.
What we are implementing is a proposal that I brought up before PEP 438 was put in place: Instead of linking directly to all packages, we put up a verifiable link to an index page with verifiable links, with the net effect being that tools can verify the whole chain. Note that we also provide MD5, SHA1 hashes and GPG signature for all packages, so users get more security, not less :-) We had wanted to register links to the download files directly using the PyPI API and may still implement this (even though it gets difficult to admin with so many links per release), but have since shifted focus to working on a web installer which solves multiple problems at once: * solving the problem of choosing the right file to download * making sure downloads are verified for all Python versions we support * adding other features like automatically requesting and installing evaluation licenses which we would like to have for our commercial products * making all of the above possible with multiple installers such as pip, easy_install, conda, etc. including older versions of those installers With the web installer, we'd just have to upload one file per release. PS: Thanks for pointing the broken link on the download page. This is caused by copying the index page from our normal PyPI-style simple index to a fixed URL at release, which is done to make sure that the registered page content hash doesn't change when we recreate our index. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 12 2014) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
