[Distutils] easy_install - some thoughts
Phillip J. Eby
pje at telecommunity.com
Wed Jul 13 18:49:55 CEST 2005
At 09:13 AM 7/13/2005 +0200, M.-A. Lemburg wrote:
> > It looks like the issue is in bdist_egg.py, write_safety_flag, where
> > an ensure_directory() call is needed. There's a patch for this below,
> > as well.
>
>Talking about "safety": shouldn't this be addressed in a standard
>way, ie. signed packages ?
"Zip safety" refers to whether the package can be safely installed as a zip
file; i.e., whether the package is likely to work once it has been
installed that way. It's not about "safety" in some security sense.
>At the very least, I'd expect the downloader to compare an MD5
>checksum stored in PyPI with the one from the downloaded file.
>Of course, using GPG and checking the signature based on the
>public key of the author would be even better.
At the moment, PyPI only stores MD5's and signatures for packages uploaded
to PyPI itself, which is an extremely small minority of packages, so I
haven't implemented this yet. However, easy_install runs fine on local
files, so you can download and verify files before running easy_install on
them.
If somebody wants to contribute patches for MD5 and signing, that would
certainly be nice.
More information about the Distutils-SIG
mailing list