[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]

M.-A. Lemburg mal at egenix.com
Thu May 8 17:37:57 CEST 2014 

On 08.05.2014 16:42, M.-A. Lemburg wrote:
> On 08.05.2014 15:58, Donald Stufft wrote:
>>
>> On May 8, 2014, at 9:39 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>>
>>> Well, to be fair and leaving aside uptime concerns and the general
>>> desire to always install packages from some server instead of
>>> a safe and trusted local directory (probably too obvious ;-),
>>> it would certainly be possible to add support for
>>> trusted externally hosted packages.
>>
>> There is support for trusted externally hosted packages, you put the URL in
>> PyPI and include a hash in the fragment like so:
>>
>> http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56
>>
>> The hash can be md5 or any of the sha-2 family.
>>
>> Now this does not mean that ``pip install cdecimal`` will automatically install
>> this, because whether or not you're willing to install from servers other than
>> PyPI[1] is a policy decision for the end user of pip. 
> 
> Hmm, if you call that feature "trusted externally hosted packages",
> pip should really do trust them, right ? ;-)
> 
> I can understand that pip defaults to not trusting URLs which don't
> meet the above feature requirements, but not that it still warns
> about unreliable externally hosted packages even if the above
> feature is used.
> 
> At the moment, pip will refuse to use an externally hosted files even
> if the package author uses the above hashed URLs; even with HTTPS
> and proper SSL certificate chain.

Could this perhaps be changed/reconsidered for pip ?

Note that easy_install/setuptools does not have such problems.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, May 08 2014)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Python-Dev mailing list