would be nice: import from archive

"Martin v. Löwis" martin at v.loewis.de
Mon Aug 30 08:43:44 CEST 2004


Paul Rubin wrote:
> so you could say 
>     import x(signed)
> or
>     import x(signed, certfile='mycerts.pem')
> 
> or whatever.

I believe that import is the wrong point in time for checking
signatures. You want to check the signature when the file is
added to sys.path, i.e.

imp.verify_signature(filename)
sys.path.append(filename)

or

imp.verify_all_signatures(sys.path)

That way, you can guarantee that trusted code is on sys.path
all the time. Then, you can also trust any import statement.

Regards,
Martin



More information about the Python-list mailing list