[Distutils] option #1 plus download_url scraping

Donald Stufft donald at stufft.io
Thu Jun 6 00:56:01 CEST 2013


On Jun 5, 2013, at 6:52 PM, PJ Eby <pje at telecommunity.com> wrote:

> On Wed, Jun 5, 2013 at 2:47 PM, Donald Stufft <donald at stufft.io> wrote:
>> One of the big problems with download_url is that the data in setup.py is
>> used in (and influences the content of) the final dist file. This means that
>> inside of a setup.py you won't know what the hash of the final file is. So
>> it's difficult for a setup.py based workflow with external urls to provide
>> md5 sums for the files which means that pip and friends can't verify that no
>> body modified the download in transit.
> 
> Not if it's done in a setup.py command that runs after the
> distributions are built, akin to the way the upload command works now.
> If there were, say, an "uplink" command based on a modified version
> of upload, it could call the PyPI API to pass along hashed URLs.
> 
> At some point I intend to write such a command so that my current
> snapshot scripts (which run on the server the downloads are hosted
> from) can update PyPI with properly hashed URLs.  (But I'm not sure
> when "some point" will be, exactly, so if someone else writes it first
> I'll be a happy camper.)

With static metadata ideally PyPI will be reading metadata from inside of the uploaded file and all that will be required is for publishing tools to push the file up.

However something like your uplink command would (assuming I understand it correctly) work fine because those "additional urls to list on the /simple/ page" are not part of the package metadata.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130605/3dc036ed/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130605/3dc036ed/attachment.pgp>


More information about the Distutils-SIG mailing list