[IPython-dev] Storing signatures outside the notebook
MinRK
benjaminrk at gmail.com
Wed Dec 17 00:54:03 EST 2014
On Tue, Dec 16, 2014 at 4:14 PM, Ondřej Čertík <ondrej.certik at gmail.com>
wrote:
>
> What is the point of the signature in the first place? Is it just to
> verify that the .ipynb file is consistent, i.e. no accidental changes?
> I just use git for that.
>
The question we want to answer is "Has the user explicitly trusted this
notebook?" We don't want to execute untrusted code in html/js outputs when
the notebook is opened. There are two mechanisms to trust a notebook:
1. manually mark that the notebook is trusted
2. execute the entire notebook yourself
The question is all in how IPython stores and checks whether that notebook
is trusted. Currently, IPython hashes the contents of the notebook plus a
secret stored in the user's IPython profile, and stores this value in the
notebook metadata. We don't care about the signature per se, we just want
to know whether the notebook is identical to one that the user trusted
before. Putting it in the metadata was the easiest way to ensure that the
signature followed the notebook around for the user, but it doesn't really
make sense for the signature to follow the notebook into VCS, or onto other
users' machines. One alternative under discussion here is to just hash
trusted notebooks (no secret key) and store the hashes in a
user-only-readable location.
-MinRK
>
> Ondrej
>
> On Tue, Dec 16, 2014 at 12:21 AM, MinRK <benjaminrk at gmail.com> wrote:
> > I've implemented a version of the db option in #7244. Each approach has
> > advantages and disadvantages, but I don't relish having to chase notebook
> > files around with more things associated by filename. We do already do
> that
> > with checkpoints, though, so this could easily be done in the same way.
> >
> > I do think we should do this for 3.0, if we decide we want to do it at
> all,
> > since we are doing an nbformat revision already.
> >
> > -MinRK
> >
> > _______________________________________________
> > IPython-dev mailing list
> > IPython-dev at scipy.org
> > http://mail.scipy.org/mailman/listinfo/ipython-dev
> >
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20141216/35615b78/attachment.html>
More information about the IPython-dev
mailing list