[Distutils] easy_install - some thoughts

Phillip J. Eby pje at telecommunity.com
Wed Jul 13 18:49:55 CEST 2005

At 09:13 AM 7/13/2005 +0200, M.-A. Lemburg wrote:
> > It looks like the issue is in bdist_egg.py, write_safety_flag, where
> > an ensure_directory() call is needed. There's a patch for this below,
> > as well.
>Talking about "safety": shouldn't this be addressed in a standard
>way, ie. signed packages ?

"Zip safety" refers to whether the package can be safely installed as a zip 
file; i.e., whether the package is likely to work once it has been 
installed that way.  It's not about "safety" in some security sense.

>At the very least, I'd expect the downloader to compare an MD5
>checksum stored in PyPI with the one from the downloaded file.
>Of course, using GPG and checking the signature based on the
>public key of the author would be even better.

At the moment, PyPI only stores MD5's and signatures for packages uploaded 
to PyPI itself, which is an extremely small minority of packages, so I 
haven't implemented this yet.  However, easy_install runs fine on local 
files, so you can download and verify files before running easy_install on 

If somebody wants to contribute patches for MD5 and signing, that would 
certainly be nice.

More information about the Distutils-SIG mailing list