[Catalog-sig] hash tags

M.-A. Lemburg mal at egenix.com
Fri Mar 8 22:11:38 CET 2013 

On 08.03.2013 20:52, Noah Kantrowitz wrote:
> 
> On Mar 8, 2013, at 4:50 AM, M.-A. Lemburg wrote:
> 
>> On 08.03.2013 13:15, Christian Heimes wrote:
>>> Am 08.03.2013 12:49, schrieb M.-A. Lemburg:
>>>> Together with the added hash tag on the download file URLs (*),
>>>> this would solve the availability and the security aspects.
>>>> Instead of deprecating external links altogether, we could then
>>>> deprecate non-compliant download links and get an overall
>>>> very flexible system for Python package distribution.
>>>>
>>>> (*) Yes, I know, I still have to deliver the updated proposal -
>>>> been working on getting our indexes ready to serve as example :-)
>>>
>>> How does your proposal look like? 
>>
>> Here's the first version with the basic idea:
>>
>> http://wiki.python.org/moin/PyPI/DownloadMetaDataProposal
>>
>> After the feedback I got from Holger and Phillip, I'm currently
>> writing a new version, which drops some of the unneeded
>> requirements and spells out a few more things.
>>
>> Here's a very short version...
>>
>> Installers are modified:
>>
>> * to only follow rel="download" links from the /simple/ index page,
>>  which have a hash tag (e.g. #md5=...)
>> * will only use the fetched download page if its contents match
>>  the hash tag
>> * scan that page for rel="download" links, which again have to
>>  have a hash tag to be taken into account
>> * only install files for which the hash tag matches the
>>  downloaded content
>>
>> This should provide a good way to make sure that the downloaded
>> files are indeed under control of the package maintainer.
> 
> MD5 is _not_ acceptable for anything security related and we shouldn't be adding anything that increases our dependence on it. MD5's only use in the packaging world is to make people who forget that TCP has its own checksums feel all warm and fuzzy that there hasn't been _accidental_ download corruption.

I was only using the existing md5 hash tags as example. Tools should
migrate to support all hashlib algorithms (pip already does),
so the hash tag can be e.g. #sha1=... or #sha256=...

For Python 2.4 only md5 and sha1 would work, since it didn't
come with a hashlib module.

With the extension mechanism Christian proposed, we can also
add all sorts of other things as well, e.g. size indications,
GPG key ID, GPG sigs, etc.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Mar 07 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list