[Catalog-sig] Proposal: close the PyPI file-replacement loophole
carl at oddbird.net
Thu Feb 2 16:55:31 CET 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 02/01/2012 03:57 PM, PJ Eby wrote:
> On Wed, Feb 1, 2012 at 6:06 AM, Yuval Greenfield <ubershmekel at gmail.com
> <mailto:ubershmekel at gmail.com>> wrote:
> Does the setup.py/cfg <http://setup.py/cfg> allow me to require a
> specific hash on SQLAlchemy when automatically resolving
> dependencies in pip/easy_install?
> Yes, at least for easy_install. You tack on #md5=.... to your
> find_links URLs, and specify an exact version. easy_install will refuse
> to install them if the MD5 doesn't match. (This will work better for
> source packages than binaries, of course, since you'd only need to
> include one link and MD5 signature in that case.)
FWIW, the exact same technique works if you install with pip.
I haven't been following the conversation closely, but I thought I saw
an assertion or two go by that pip doesn't check MD5 hashes of PyPI
downloads. This is not true; it always checks them by default, assuming
the download link includes the md5 hash fragment (which PyPI-hosted
downloads always do).
If you want to assert a specific md5 hash in your requirements file,
you'd need to link to the sdist directly (rather than using
packagename==version) and include the #md5= hash fragment in the link.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Catalog-SIG