[Catalog-sig] hash tags

M.-A. Lemburg mal at egenix.com
Fri Mar 8 14:47:14 CET 2013 

On 08.03.2013 13:50, M.-A. Lemburg wrote:
> On 08.03.2013 13:15, Christian Heimes wrote:
>> I like to propose query string-like
>> key/value pairs. key/value pairs are more flexible and allow us to
>> add/remove new information in the future.
> 
> Good idea. I'll add that as extension mechanism.
> 
>> I also propose that we add the file size in octets (bytes with 8bits in
>> each byte) to the fragment identifier. File size validation prohibits
>> e.g. length extension attacks. It is useful to download tools. I know
>> that HTTP servers usually set a Content-Length header for static files.
>> But the header is set by the CDN while the information in the fragment
>> identifier shall come from PyPI's internal database.
>>
>> Example:
>>
>> defusedxml-0.4.tar.gz#md5=09873c31ce773d48b8a4759571655a2c&sha1=33821e6891e3fc3829f5a238a93490f939533d62&octets=48324
> 
> Minor nit: s/octets/size
> 
> We could probably even add GPG sigs to the link.
> 
> The only problem with the extension mechanism is that the currently
> available installers only support "#md5=...".
> 
> Perhaps there's some way to trick them into still working with
> the query-style fragment links ?!

Too bad... at least distribute/setuptools enforces this:

    def check_md5(self, cs, info, filename, tfp):
        if re.match('md5=[0-9a-f]{32}$', info):
           ...

If it weren't for that '$', we'd have no problem.

At least distribute currently doesn't check the download links
from the /simple/ page at all, so we can use the extension
mechanism there without breaking older versions of the tools.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Mar 07 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list