Hi, when developing bandersnatch I saw some checksum errors for the md5sums of downloaded package files that I didn't understand. I just saw another one and just want to check back whether this is true: I can go to PyPI, delete a package version, and upload a different file later. True? This would explain that I can see a file that I downloaded successfully changing it's hash over time. Feels like a bad idea to me, but I guess this is part of the "PyPI doesn't have an oppinion" deal … Christian
On Tue 02 Apr 2013 04:12:23 PM EDT, Christian Theune wrote:
when developing bandersnatch I saw some checksum errors for the md5sums of downloaded package files that I didn't understand.
Firstly, thanks for programming bandersnatch --- what an awesome tool! Secondly, I see these hash mismatches too with bandersnatch. Would be good to know what's happening.
On Tue, Apr 02, 2013 at 22:12 +0200, Christian Theune wrote:
Hi,
when developing bandersnatch I saw some checksum errors for the md5sums of downloaded package files that I didn't understand. I just saw another one and just want to check back whether this is true: I can go to PyPI, delete a package version, and upload a different file later.
True?
it's certainly possible. Not sure if i even did something like this in my early days :)
This would explain that I can see a file that I downloaded successfully changing it's hash over time.
would be cool if bandersnatch can handle this case. Maybe queue hash mismatches and only error out if the final file mismatches its hash or so? best, holger
Feels like a bad idea to me, but I guess this is part of the "PyPI doesn't have an oppinion" deal …
Christian
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
On Apr 2, 2013, at 10:39 PM, holger krekel <holger@merlinux.eu> wrote:
On Tue, Apr 02, 2013 at 22:12 +0200, Christian Theune wrote:
Hi,
when developing bandersnatch I saw some checksum errors for the md5sums of downloaded package files that I didn't understand. I just saw another one and just want to check back whether this is true: I can go to PyPI, delete a package version, and upload a different file later.
True?
it's certainly possible. Not sure if i even did something like this in my early days :)
This would explain that I can see a file that I downloaded successfully changing it's hash over time.
would be cool if bandersnatch can handle this case. Maybe queue hash mismatches and only error out if the final file mismatches its hash or so?
It does that already: it performs a hash-check of existing files to verify whether they are still intact. If they are not, then it logs a warning (disguised as an error) and redownloads. Whenever it downloads something that doesn't fit the advertised checksum then it actually errors out (and never redistributes the file to downstream clients). Christian -- Christian Theune · ct@gocept.com gocept gmbh & co. kg · Forsterstraße 29 · 06112 Halle (Saale) · Germany http://gocept.com · Tel +49 345 1229889-7 Python, Pyramid, Plone, Zope · consulting, development, hosting, operations
We prevent people from uploading files to replace contents, but not deleting and re-uploading. That would take additional tracking not built into the system. Richard On 3 April 2013 07:12, Christian Theune <ct@gocept.com> wrote:
Hi,
when developing bandersnatch I saw some checksum errors for the md5sums of downloaded package files that I didn't understand. I just saw another one and just want to check back whether this is true: I can go to PyPI, delete a package version, and upload a different file later.
True?
This would explain that I can see a file that I downloaded successfully changing it's hash over time.
Feels like a bad idea to me, but I guess this is part of the "PyPI doesn't have an oppinion" deal …
Christian
______________________________**_________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/**mailman/listinfo/distutils-sig<http://mail.python.org/mailman/listinfo/distutils-sig>
Op 02-04-13 22:12, Christian Theune schreef:> Hi,
when developing bandersnatch I saw some checksum errors for the md5sums of downloaded package files that I didn't understand. I just saw another one and just want to check back whether this is true: I can go to PyPI, delete a package version, and upload a different file later.
True?
I have seen that happen too, a while ago. I don't think I noticed it often. I did notice it for one or more distribute releases, maybe one or two years ago. I noticed because I am using collective.eggproxy, which is basically a pypi mirror that only gets a distribution from pypi when it is actually requested by a user: https://pypi.python.org/pypi/collective.eggproxy So it is a partial mirror, saving bandwidth and disk space. What happened was that buildout or easy_install was requesting distribute version X. The mirror had that package locally, but its index.html file was updated with a new md5 sum from pypi. The new md5 sum did not match the md5 sum of the previously downloaded distribution. So apparently the distribution got replaced on pypi. I don't know why. I compared the old and new version of the package. I think they differed slightly in size, but unpacked they were exactly the same, so I did not mentioned it at the time. So: yes, it can happen. Of course, here I assume that this was not some manual action by one of my colleagues on the eggproxy and also not some freak error in collective.eggproxy. -- Maurits van Rees: http://maurits.vanrees.org/ Zest Software: http://zestsoftware.nl
participants (5)
-
Christian Theune -
holger krekel -
Maurits van Rees -
Richard Jones -
Trishank Karthik Kuppusamy