[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Carl Meyer carl at oddbird.net
Thu Feb 2 16:55:31 CET 2012

Hash: SHA1

On 02/01/2012 03:57 PM, PJ Eby wrote:
> On Wed, Feb 1, 2012 at 6:06 AM, Yuval Greenfield <ubershmekel at gmail.com
> <mailto:ubershmekel at gmail.com>> wrote:
>     Does the setup.py/cfg <http://setup.py/cfg> allow me to require a
>     specific hash on SQLAlchemy when automatically resolving
>     dependencies in pip/easy_install?
> Yes, at least for easy_install.  You tack on  #md5=.... to your
> find_links URLs, and specify an exact version.  easy_install will refuse
> to install them if the MD5 doesn't match.  (This will work better for
> source packages than binaries, of course, since you'd only need to
> include one link and MD5 signature in that case.)

FWIW, the exact same technique works if you install with pip.

I haven't been following the conversation closely, but I thought I saw
an assertion or two go by that pip doesn't check MD5 hashes of PyPI
downloads. This is not true; it always checks them by default, assuming
the download link includes the md5 hash fragment (which PyPI-hosted
downloads always do).

If you want to assert a specific md5 hash in your requirements file,
you'd need to link to the sdist directly (rather than using
packagename==version) and include the #md5= hash fragment in the link.

Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Catalog-SIG mailing list