At 01:09 PM 12/20/2005 -0800, Bob Ippolito wrote:
The ez_setup bootstrap definitely checks the md5 for known versions of setuptools, and I'm assuming that a similar feature is in easy_install for normal packages.
No need to assume; see the 'check_md5' method of the PackageIndex class in setuptools.package_index. ;)
*Any* URL processed by PackageIndex that ends with a "#md5=" anchor will have its md5 verified upon download. If the match fails, the downloaded file is immediately deleted and an error is raised.
(In addition, PyPI pages' MD5 sums for downloads are preprocessed into the "#md5=" format using a regular expression search.)