If this was apt-get or yum, there would be no concept of hosting apart from an index and you would have to run a command like "apt-add-repository http://xyz.com"; or place a file in /etc/... Then the extra repository + packages would become available.
On Mon, May 12, 2014 at 8:28 AM, M.-A. Lemburg <m...@egenix.com> wrote: > On 11.05.2014 16:48, Paul Moore wrote: >> On 11 May 2014 13:47, Donald Stufft <don...@stufft.io> wrote: >>>> https://pypi.python.org/simple/egenix-mx-base/ has verifiable external >>>> links. I'm pretty surprised that Donald hasn't heard of mx-base. >>> >>> egenix-mx-base does not have verifiable external links.Verifiable external >>> links must be both directly linked to from the /simple/ index page and >>> must include a hash. egenix-mx-base does not do this. >> >> OK, that clarifies that, and also makes it clear that what constitutes >> "safe" is not immediately obvious (something you've been saying a lot, >> but which never eally hit home to me before). >> >> So, some questions: >> >> 1. Is MAL aware that egenix-mx-base is not verifiably externally >> hosted[1], and if so, what is he asking for? Automatic download with >> no need for opt-in of unverifiable external downloads? That seems >> pretty much in conflict with the whole intent of PEP 438. > > What we are implementing is a proposal that I brought up before > PEP 438 was put in place: > > Instead of linking directly to all packages, we put up a verifiable > link to an index page with verifiable links, with the net effect > being that tools can verify the whole chain. > > Note that we also provide MD5, SHA1 hashes and GPG signature for > all packages, so users get more security, not less :-) > > We had wanted to register links to the download files directly > using the PyPI API and may still implement this (even though it > gets difficult to admin with so many links per release), but have > since shifted focus to working on a web installer which solves > multiple problems at once: > > * solving the problem of choosing the right file to download > * making sure downloads are verified for all Python versions > we support > * adding other features like automatically requesting and > installing evaluation licenses which we would like to have > for our commercial products > * making all of the above possible with multiple installers > such as pip, easy_install, conda, etc. including older > versions of those installers > > With the web installer, we'd just have to upload one file > per release. > > PS: Thanks for pointing the broken link on the download page. > This is caused by copying the index page from our normal > PyPI-style simple index to a fixed URL at release, which is done > to make sure that the registered page content hash doesn't change > when we recreate our index. > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source (#1, May 12 2014) >>>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > > ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
