"Filip M. Noetzel" <filip@j03.de> schrieb:

(I'm replying out of band, [...]

I hope you don't mind if I send a copy of my reply back to the list, though.

I think wrote what you are describing in your post a few months ago:

http://pypi.python.org/pypi/buildout-md5sums (Source at https://github.com/peritus/buildout-md5sums )

It has a very similar purpose indeed. Nice to see that this is something I'm not the only one to want to have. Thank you for pointing it out!

I'd love feedback on it (I use it on a day-to-day basis for my buildouts, but don't know other users).

The problems I see with your approach: - Patching the download API is technically less than optimal. - Anchoring MD5 enforcement that deeply within the mechanics means that client code cannot decide whether its associated configuration needs to honour the allow-picked-downloads flag. I'm not sure whether that's a good thing or bad - that's part of what I'm hoping to discuss. I could imagine that one wants to enforce checksums for, e.g., source packages downloaded by a cmmi recipe while avoiding them for base configuration files downloaded by buildout itself. - As a less technical aspect, you might want to consider a more serious licence for your package if you hope for more wide-spread use. Thomas