[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Abdur-Rahmaan Janhangeer
Yours, Abdur-Rahmaan Janhangeer pythonmembers.club | github Mauritius On Wed, Jan 8, 2020 at 1:32 AM Brett Cannon wrote: > > > This would be a packaging detail so not something to be specified in the stdlib. Yes, the module opening the zip will look for it >> - [ ] Signing mechanism >> >> M

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Abdur-Rahmaan Janhangeer
On Wed, 8 Jan 2020, 11:09 Christopher Barker, wrote: > > But a thought on that -- you may be able to accomplish something similar > with conda, "conda constructor", and "conda run". -- or a new tool built > from those. The idea is that the first time you ran your "app", it would > install its dep

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Abdur-Rahmaan Janhangeer
On Wed, 8 Jan 2020, 02:15 Barry, wrote: > > Have a look at this write up about the horror that is zip file name > handling. > > https://marcosc.com/2008/12/zip-files-and-encoding-i-hate-you/ > > This has been a pain point at work. > Since zipapp did not touch the subject, i won't either unless w

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Christopher Barker
On Wed, Jan 8, 2020 at 1:49 AM Abdur-Rahmaan Janhangeer < [email protected]> wrote: > Have a look at this write up about the horror that is zip file name >> handling. >> >> https://marcosc.com/2008/12/zip-files-and-encoding-i-hate-you/ >> >> This has been a pain point at work. >> > I'm pretty s

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Christopher Barker
On Wed, Jan 8, 2020 at 1:24 AM Abdur-Rahmaan Janhangeer < [email protected]> wrote: > But a thought on that -- you may be able to accomplish something similar >> with conda, "conda constructor", and "conda run". -- or a new tool built >> from those. The idea is that the first time you ran your

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Andrew Barnert via Python-ideas
On Jan 8, 2020, at 01:09, Abdur-Rahmaan Janhangeer wrote: > > But now, a malicious program might try to modify the info file > and modify the hash. One way to protect even the metadata is > to hash the entire content > > folder/ > file.py # we can add those in a folder if needed > __main

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Andrew Barnert via Python-ideas
On Jan 8, 2020, at 01:09, Abdur-Rahmaan Janhangeer wrote: > > Using the wheel-included zip (A), we can generate another zip file (B) with > the packages installed. That generated zip file is then executed. But that generated zip B doesn’t have a trustable hash on it, so how can you execute it?

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Rhodri James
On 08/01/2020 18:08, many people wrote lots of stuff... Folks, could we pick one list and have the discussion there, rather than on both python-list and python-ideas? Getting *four* copies of Andrew's emails is a tad distracting :-) -- Rhodri James *-* Kynesim Ltd ___

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Brett Cannon
On Wed, Jan 8, 2020 at 1:09 AM Abdur-Rahmaan Janhangeer < [email protected]> wrote: > > Yours, > > Abdur-Rahmaan Janhangeer > pythonmembers.club | github > Mauritius > > > On Wed, Jan 8, 2020 at 1:32 AM Brett Cannon wrote: > > > > > > This would be a packaging detail so not something to be spe

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Abdur-Rahmaan Janhangeer
On Wed, 8 Jan 2020, 21:29 Andrew Barnert, wrote: > > How does this solve the problem? A malicious program that could modify the > hash inside the info file could even more easily modify the hash at the end > of the zip. > > Existing systems deal with this by recognizing that you can’t prevent > a

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Abdur-Rahmaan Janhangeer
On Wed, 8 Jan 2020, 23:04 Brett Cannon, wrote: > > > > That's under-specified. What hash algorithm was used? How are you going to > specify it? > That was a sha256 demo. But then I can modify the signatures of any of these files by regenerating > them. Please trust me, this isn't simple to get

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Abdur-Rahmaan Janhangeer
On Wed, 8 Jan 2020, 22:14 Rhodri James, wrote: > On 08/01/2020 18:08, many people wrote lots of stuff... > > Folks, could we pick one list and have the discussion there, rather than > on both python-list and python-ideas? Getting *four* copies of Andrew's > emails is a tad distracting :-) > Cho

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Abdur-Rahmaan Janhangeer
On Wed, 8 Jan 2020, 22:08 Andrew Barnert, wrote: > > But that generated zip B doesn’t have a trustable hash on it, so how can > you execute it? > The issue of trust is solved by keys, i did not propose something concrete as i'm still looking into a viable scheme If you keep this all hidden insi

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Barry Scott
> On 8 Jan 2020, at 16:02, Christopher Barker wrote: > > On Wed, Jan 8, 2020 at 1:49 AM Abdur-Rahmaan Janhangeer > wrote: > Have a look at this write up about the horror that is zip file name handling. > > https://marcosc.com/2008/12/zip-files-and-encoding-i-hate-

[Python-ideas] [python-ideas] Enhancing Zipapp

2020-01-08 Thread Abdur-Rahmaan Janhangeer
On Thu, 9 Jan 2020, 01:26 Barry Scott, wrote: > > > Also can we stop cross posting to 2 lists please. > > Pick one and keep the thread on it please. > > Barry > Since @James proposed it some mails back, we've been on python-ideas! > ___ Python-ideas

[Python-ideas] Re: Enhancing Zipapp

2020-01-08 Thread Andrew Barnert via Python-ideas
On Jan 8, 2020, at 12:04, Abdur-Rahmaan Janhangeer wrote: > > >> On Wed, 8 Jan 2020, 22:08 Andrew Barnert, wrote: >> >> But that generated zip B doesn’t have a trustable hash on it, so how can you >> execute it? > > > The issue of trust is solved by keys, i did > not propose something concr