[Catalog-sig] an immutable mirror of PyPI

Chris Withers chris at simplistix.co.uk
Tue Jul 19 19:46:38 CEST 2011

On 18/07/2011 23:04, M.-A. Lemburg wrote:
> BTW: To address your repeatability/security concerns, the tools you are
> using would also have to store the hash check sum of the downloaded
> packages together with the version. AFAIK, buildout only pins down
> versions, not MD5/SHA1 sums.

I'm pretty sure there's a hashing extension for buildout downloads.



Simplistix - Content Management, Batch Processing & Python Consulting
            - http://www.simplistix.co.uk

More information about the Catalog-SIG mailing list