[Distutils] option #1 plus download_url scraping
PJ Eby
pje at telecommunity.com
Thu Jun 6 00:52:36 CEST 2013
On Wed, Jun 5, 2013 at 2:47 PM, Donald Stufft <donald at stufft.io> wrote:
> One of the big problems with download_url is that the data in setup.py is
> used in (and influences the content of) the final dist file. This means that
> inside of a setup.py you won't know what the hash of the final file is. So
> it's difficult for a setup.py based workflow with external urls to provide
> md5 sums for the files which means that pip and friends can't verify that no
> body modified the download in transit.
Not if it's done in a setup.py command that runs after the
distributions are built, akin to the way the upload command works now.
If there were, say, an "uplink" command based on a modified version
of upload, it could call the PyPI API to pass along hashed URLs.
At some point I intend to write such a command so that my current
snapshot scripts (which run on the server the downloads are hosted
from) can update PyPI with properly hashed URLs. (But I'm not sure
when "some point" will be, exactly, so if someone else writes it first
I'll be a happy camper.)
More information about the Distutils-SIG
mailing list