[Python-ideas] Signed eggs?
Paul Moore
p.f.moore at gmail.com
Fri Jul 10 15:45:57 CEST 2009
2009/7/10 Tim Lesher <tlesher at gmail.com>:
>> And you could write a PEP 302 installer to load & verify signed eggs.
>> Nothing new here, other than no-one has wanted to do it so far.
>
> Right--that's part of what I'm going to be doing for a current work project.
>
> The rest is "where to store the signature" and "what inputs should
> feed the signature calculation" and "how to verify the egg *without*
> trying to import it".
>
> If there were any past efforts (even failed ones) to do so, I was
> curious to learn from those experiences. Sounds like it's a green
> field, though.
>
>> BTW, eggs and setuptools are a 3rd party package - there's nothing
>> about them in core Python.
>
> Correct--I misspoke. While eggs are probably the implementation
> technique I'll be looking at, I was interested in any other attempts
> in the past.
I've not done anything like this, so I can't help much. But one thing
that might be worth considering, if you don't mind a new format, would
be a SQLite database for holding the modules. Advantages over zip
files (which is what eggs use) are that you can add extra table
columns, for things like signatures, and that it's read-write, so you
could generate .pyc "files" on the fly rather than relying on
pregeneration like eggs do. The big disadvantage is that you'd be
inventing a new format (although you could write a utility to extract
the files from an egg and load them into a sqlite file, so you'd be
able to reuse existing eggs to some extent.
Paul.
More information about the Python-ideas
mailing list