[Distutils] New buildout options: checksums and allow-omitted-checksums

[Thomas Lotze]

Hi,

two weeks ago I asked about your opinions on a buildout option
that enforces specifying (MD5) checksums for all files downloaded
through buildout's download utility API. I've been discussing the
subject with Christian Theune in the meantime and would like to
describe a more concrete proposal now that deals with the
questions raised in my previous post:

In analogy with version pinning for eggs, two new options could
be introduced to the buildout section:

- "checksums": This option would name a config section that
  contains checksums for any number of resources by URL. I
  suggest a default value of "checksum" for it. Listing some URL
  with an empty checksum would explicitly express that the
  checksum for this resource should never be checked. I'm not
  sure how to structure the contents of the checksums section:
  URLs are not valid config keys in general (they can contain "="
  characters) but I'd still like to be able to rely on the
  existing mechanism for overriding single options to override
  single checksums. Mapping arbitrary keys to
  whitespace-separated pairs of URL and checksum would work but
  sounds inelegant.

- "allow-omitted-checksums": This option would specify whether
  resources should be downloaded that are not listed in the
  checksums section. I'd like to use False as this option's
  default value, meaning that buildout should raise a UserError
  if a resource is omitted from the checksums section.
  (Intentionally empty checksums would still be allowed.) In
  fact, I'm not completely happy about inventing an option with
  negative semantics but doing it this way is at least consistent
  with "allow-picked-versions".

I'd like to hear other people's opinion on both the general idea
and the details. Unless the whole thing gets shot down, I plan to
start implementing it on a branch of zc.buildout next week.

Thank you.

-- 
Thomas