would be nice: import from archive

Alex Martelli aleaxit at yahoo.com
Sat Aug 28 10:45:24 CEST 2004

Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote:

> aleaxit at yahoo.com (Alex Martelli) writes:
> > Would it make sense to rely on a naming convention instead?
> > I.e. foo.zip would be unsigned but bar.jar would have to be signed
> > or else no go.  This would have the advantage of allowing
> > substantial granularity in controlling this.
> I think this is reasonable, except what does the import statement look
> like?  Do you say something like "import frob from bar.jar"?

No, you say, as always:

    import frob

Importing looks at each item on sys.path, and each item can be:

1. a directory X -- then import looks for X/frob.py or a subdirectory
    X/frob/ containing an __init__.py (or in either case .pyc or .pyo)

2. a zipfile X.zip -- then import looks inside (unsigned) file X.zip for
    a frob.py, frob.pyc, etc

3. [only novelty...] a signed zipfile X.jar -- then import verifies the
    signature then if valid proceed as in 2

> > Side question, does module zipfile already have the code to allow
> > reading such signed files?  
> I think jar files are just zip files containing an extra file (called
> "manifest") that has signatures in it.  So you can import from a jar
> as if it were a zip.

But it might be nice to check signatures automatically if reading such
files is a common task.


More information about the Python-list mailing list