[Catalog-sig] Proposal: close the PyPI file-replacement loophole

PJ Eby pje at telecommunity.com
Wed Feb 1 23:57:08 CET 2012

On Wed, Feb 1, 2012 at 6:06 AM, Yuval Greenfield <ubershmekel at gmail.com>wrote:

> Does the setup.py/cfg allow me to require a specific hash on SQLAlchemy
> when automatically resolving dependencies in pip/easy_install?

Yes, at least for easy_install.  You tack on  #md5=.... to your find_links
URLs, and specify an exact version.  easy_install will refuse to install
them if the MD5 doesn't match.  (This will work better for source packages
than binaries, of course, since you'd only need to include one link and MD5
signature in that case.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120201/9816092e/attachment.html>

More information about the Catalog-SIG mailing list