[Catalog-sig] Proposal: close the PyPI file-replacement loophole

"Martin v. Löwis" martin at v.loewis.de
Mon Jan 30 22:43:35 CET 2012

Am 30.01.2012 22:14, schrieb Chris Withers:
> I'm fairly certain PyPI provides MD5 keys for the paranoid...

Indeed. Users wishing to make sure that the source code they manually
reviewed stays the same should really record the md5 of the file, and
verify that it is still the same file when downloading it again.

It appears that buildout has mechanisms to hard-code the md5sum into
the recipe. It would be desirable if other automatic download tools
offered similar mechanisms.


More information about the Catalog-SIG mailing list