[Catalog-sig] hash tags
mal at egenix.com
Fri Mar 8 22:17:41 CET 2013
On 08.03.2013 20:16, PJ Eby wrote:
> On Fri, Mar 8, 2013 at 7:50 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>> After the feedback I got from Holger and Phillip, I'm currently
>> writing a new version, which drops some of the unneeded
>> requirements and spells out a few more things.
>> Here's a very short version...
>> Installers are modified:
>> * to only follow rel="download" links from the /simple/ index page,
>> which have a hash tag (e.g. #md5=...)
>> * will only use the fetched download page if its contents match
>> the hash tag
>> * scan that page for rel="download" links, which again have to
>> have a hash tag to be taken into account
>> * only install files for which the hash tag matches the
>> downloaded content
>> This should provide a good way to make sure that the downloaded
>> files are indeed under control of the package maintainer.
> There is, as I said before, a MUCH simpler way to do this, that works
> right now: put direct #md5 download links in your description, and
> phase out the rel="" attributes altogether.
No, that would be a pretty poor design :-)
The rel="" attributes are good design, since they were meant for
exactly this purpose (machine reading and understanding relations
between origin and target).
Professional Python Services directly from the Source (#1, Mar 07 2013)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
More information about the Catalog-SIG