[Distutils] Re-uploading packages
Christian Theune
ct at gocept.com
Tue Apr 2 22:42:13 CEST 2013
On Apr 2, 2013, at 10:39 PM, holger krekel <holger at merlinux.eu> wrote:
> On Tue, Apr 02, 2013 at 22:12 +0200, Christian Theune wrote:
>> Hi,
>>
>> when developing bandersnatch I saw some checksum errors for the
>> md5sums of downloaded package files that I didn't understand.
>> I just saw another one and just want to check back whether this is
>> true: I can go to PyPI, delete a package version, and upload a
>> different file later.
>>
>> True?
>
> it's certainly possible. Not sure if i even did something like
> this in my early days :)
>
>> This would explain that I can see a file that I downloaded
>> successfully changing it's hash over time.
>
> would be cool if bandersnatch can handle this case.
> Maybe queue hash mismatches and only error out if the final
> file mismatches its hash or so?
It does that already: it performs a hash-check of existing files to verify whether they are still intact. If they are not, then it logs a warning (disguised as an error) and redownloads.
Whenever it downloads something that doesn't fit the advertised checksum then it actually errors out (and never redistributes the file to downstream clients).
Christian
--
Christian Theune · ct at gocept.com
gocept gmbh & co. kg · Forsterstraße 29 · 06112 Halle (Saale) · Germany
http://gocept.com · Tel +49 345 1229889-7
Python, Pyramid, Plone, Zope · consulting, development, hosting, operations
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4334 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130402/552498e2/attachment.bin>
More information about the Distutils-SIG
mailing list