[Catalog-sig] File integrity checking and host blocking for EasyInstall

[Phillip J. Eby]

On Mon, 15 Aug 2005, Richard Jones wrote:
>On Mon, 15 Aug 2005 09:06 am, Phillip J. Eby wrote:
> > The first part of the plan is to add md5 digest checking to
> > EasyInstall.  Because one of EasyInstall's design goals is to make it easy
> > for anybody to publish links to packages, we need to be able to include the
> > md5 signature in a package's URL.  I'm thinking we could achieve this via
> > an '#md5=...' fragment identifier.  For example, a setuptools source
> > archive URL might be:
> >
> > http://www.python.org/packages/source/s/setuptools/setuptools-0.5a13.zip#md
> >5=91f31a9058330174640a867cf5d4de57
>
>Any idea what various "normal" browsers do when they encounter something like
>this?

Well, Firefox works fine.  I haven't tried IE or Mozilla or anything 
else.  That is a valid link above, so if you still have the original email 
you can click on it and see what happens.  :)


> > So, this is not a complete security solution, as it doesn't deal with
> > end-to-end file integrity, and could easily be subverted by taking over a
> > site somewhere in the middle (e.g. python.org).  But until we have more of
> > the cryptographic infrastructure in place, I think this plan could provide
> > us with a good starting point.  Comments, anyone?
>
>I presume the distutils discussion included the signing of packages that PyPI
>supports?

Yes; I have yet to encounter a signed package yet, though, and I also don't 
want to try to implement signature checking in the 0.6 series of 
setuptools.  I'll first need to learn to use GPG and get a real 
understanding of how it deals with trust chains, and understand what 
EasyInstall should do with them.  Unless of course somebody already knows 
what the design should be and can explain it well enough for me to 
implement.  :)

Even then though, I'd like to get 0.6a1 out the door first.  I'm not 100% 
sure 0.6a1 will even do any of the md5 stuff I proposed.