[Distutils] Metadataformat PEP 426 on PyPI?

Vinay Sajip vinay_sajip at yahoo.co.uk
Wed Jul 3 23:41:52 CEST 2013

PJ Eby <pje <at> telecommunity.com> writes:

> Just an FYI, not sure if this is an issue with your converter or with
> the new spec, but the metadata shown for setuptools is missing
> something important: 0.7.x pins specific distributions of its
> dependencies using dependency_links URLs with #md5 hashes, so that SSL
> support can be installed in a reasonably secure manner, as long as
> you're starting from a trusted copy of the distribution.  The
> converted metadata you show lacks this pinning.

True, although I do capture the dependency links under the 'dependency-urls'
key of the top level dict of the JSON I linked to. While dependency_links is
not directly supported by PEP 426, the intent is there via "direct references".

When installing using distlib/distil, SSL host verification and hash
verification are done, even when direct references are not specified, since
the versions of dependencies are pinned. For example, if I install
setuptools into a fresh venv:

$ pyvenv-3.3 /tmp/venv
$ distil -e /tmp/venv install "setuptools [ssl,certs]"
Checking requirements for setuptools (0.7.7) ... done.
The following new packages will be downloaded and installed:
    certifi (0.0.8) [for setuptools]
    setuptools (0.7.7)
Proceed? (y/n) y
Downloading certifi-0.0.8.tar.gz to /tmp/tmpccek0f [for setuptools]
    115KB @ 667 KB/s 100 % Done: 00:00:00
Unpacking ... done.
Downloading setuptools-0.7.7.tar.gz to /tmp/tmpchxc1x
    736KB @ 393 KB/s 100 % Done: 00:00:01
Unpacking ... done.
[installation feedback snipped]

Below is an extract from distil.log for the above installation, showing the
downloading and verification operations:

Downloading certifi-0.0.8.tar.gz to /tmp/tmpccek0f [for setuptools]
Digest specified: dc5f5e7f0b5fc08d27654b17daa6ecec
Host verified: pypi.python.org
Digest verified: dc5f5e7f0b5fc08d27654b17daa6ecec
Library location: venv site-packages
Downloading setuptools-0.7.7.tar.gz to /tmp/tmpchxc1x
Digest specified: 0d7bc0e1a34b70a97e706ef74aa7f37f
Host verified: pypi.python.org
Digest verified: 0d7bc0e1a34b70a97e706ef74aa7f37f
Library location: venv site-packages

Distil includes the Mozilla certs and thus is able to do SSL host
validation. The hash support is currently limited to MD5 because PyPI has
not supported other formats, but I expect that will be rectified in due course.


Vinay Sajip

More information about the Distutils-SIG mailing list