On 06/22/2012 11:38 AM, Donald Stufft wrote:
On Friday, June 22, 2012 at 5:22 AM, Dag Sverre Seljebotn wrote:
What Bento does is have one metadata file for the source-package, and
another metadata file (manifest) for the built-package. The latter is
normally generated by the build process (but follows a standard
nevertheless). Then that manifest is used for installation (through
several available methods).
From what I understand, this dist.(yml|json|ini) would be replacing the
mainfest not the bento.info then. When bento builds a package compatible
with the proposed format it would instead of generating it's own manifest
it would generate the dist.(yml|json|ini).
Well, but I think you need to care about the whole process here.
Focusing only on the "end-user case" and binary installers has the flip
side that smuggling in a back door is incredibly easy in compiled
binaries. You simply upload a binary that doesn't match the source.
The reason PyPI isn't one big security risk is that packages are built
from source, and so you can have some confidence that backdoors would be
noticed and highlighted by somebody.
Having a common standards for binary installation phase would be great
sure, but security-minded users would still need to build from source in
every case (or trust a 3rt party build farm that builds from source).
The reason you can trust RPMs at all is because they're built from SRPMs.
Dag
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
