[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]
M.-A. Lemburg
mal at egenix.com
Thu May 8 17:37:57 CEST 2014
On 08.05.2014 16:42, M.-A. Lemburg wrote:
> On 08.05.2014 15:58, Donald Stufft wrote:
>>
>> On May 8, 2014, at 9:39 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>>
>>> Well, to be fair and leaving aside uptime concerns and the general
>>> desire to always install packages from some server instead of
>>> a safe and trusted local directory (probably too obvious ;-),
>>> it would certainly be possible to add support for
>>> trusted externally hosted packages.
>>
>> There is support for trusted externally hosted packages, you put the URL in
>> PyPI and include a hash in the fragment like so:
>>
>> http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56
>>
>> The hash can be md5 or any of the sha-2 family.
>>
>> Now this does not mean that ``pip install cdecimal`` will automatically install
>> this, because whether or not you're willing to install from servers other than
>> PyPI[1] is a policy decision for the end user of pip.
>
> Hmm, if you call that feature "trusted externally hosted packages",
> pip should really do trust them, right ? ;-)
>
> I can understand that pip defaults to not trusting URLs which don't
> meet the above feature requirements, but not that it still warns
> about unreliable externally hosted packages even if the above
> feature is used.
>
> At the moment, pip will refuse to use an externally hosted files even
> if the package author uses the above hashed URLs; even with HTTPS
> and proper SSL certificate chain.
Could this perhaps be changed/reconsidered for pip ?
Note that easy_install/setuptools does not have such problems.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, May 08 2014)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Python-Dev
mailing list