[Catalog-sig] hash tags

M.-A. Lemburg mal at egenix.com
Fri Mar 8 22:17:41 CET 2013

On 08.03.2013 20:16, PJ Eby wrote:
> On Fri, Mar 8, 2013 at 7:50 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>> After the feedback I got from Holger and Phillip, I'm currently
>> writing a new version, which drops some of the unneeded
>> requirements and spells out a few more things.
>> Here's a very short version...
>> Installers are modified:
>> * to only follow rel="download" links from the /simple/ index page,
>>   which have a hash tag (e.g. #md5=...)
>> * will only use the fetched download page if its contents match
>>   the hash tag
>> * scan that page for rel="download" links, which again have to
>>   have a hash tag to be taken into account
>> * only install files for which the hash tag matches the
>>   downloaded content
>> This should provide a good way to make sure that the downloaded
>> files are indeed under control of the package maintainer.
> There is, as I said before, a MUCH simpler way to do this, that works
> right now: put direct #md5 download links in your description, and
> phase out the rel="" attributes altogether.

No, that would be a pretty poor design :-)

The rel="" attributes are good design, since they were meant for
exactly this purpose (machine reading and understanding relations
between origin and target).

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Mar 07 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list