[Catalog-sig] hash tags

Noah Kantrowitz noah at coderanger.net
Fri Mar 8 20:52:33 CET 2013

On Mar 8, 2013, at 4:50 AM, M.-A. Lemburg wrote:

> On 08.03.2013 13:15, Christian Heimes wrote:
>> Am 08.03.2013 12:49, schrieb M.-A. Lemburg:
>>> Together with the added hash tag on the download file URLs (*),
>>> this would solve the availability and the security aspects.
>>> Instead of deprecating external links altogether, we could then
>>> deprecate non-compliant download links and get an overall
>>> very flexible system for Python package distribution.
>>> (*) Yes, I know, I still have to deliver the updated proposal -
>>> been working on getting our indexes ready to serve as example :-)
>> How does your proposal look like? 
> Here's the first version with the basic idea:
> http://wiki.python.org/moin/PyPI/DownloadMetaDataProposal
> After the feedback I got from Holger and Phillip, I'm currently
> writing a new version, which drops some of the unneeded
> requirements and spells out a few more things.
> Here's a very short version...
> Installers are modified:
> * to only follow rel="download" links from the /simple/ index page,
>  which have a hash tag (e.g. #md5=...)
> * will only use the fetched download page if its contents match
>  the hash tag
> * scan that page for rel="download" links, which again have to
>  have a hash tag to be taken into account
> * only install files for which the hash tag matches the
>  downloaded content
> This should provide a good way to make sure that the downloaded
> files are indeed under control of the package maintainer.

MD5 is _not_ acceptable for anything security related and we shouldn't be adding anything that increases our dependence on it. MD5's only use in the packaging world is to make people who forget that TCP has its own checksums feel all warm and fuzzy that there hasn't been _accidental_ download corruption.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130308/64f66f82/attachment.pgp>

More information about the Catalog-SIG mailing list