would be nice: import from archive
aleaxit at yahoo.com
Sat Aug 28 10:45:24 CEST 2004
Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote:
> aleaxit at yahoo.com (Alex Martelli) writes:
> > Would it make sense to rely on a naming convention instead?
> > I.e. foo.zip would be unsigned but bar.jar would have to be signed
> > or else no go. This would have the advantage of allowing
> > substantial granularity in controlling this.
> I think this is reasonable, except what does the import statement look
> like? Do you say something like "import frob from bar.jar"?
No, you say, as always:
Importing looks at each item on sys.path, and each item can be:
1. a directory X -- then import looks for X/frob.py or a subdirectory
X/frob/ containing an __init__.py (or in either case .pyc or .pyo)
2. a zipfile X.zip -- then import looks inside (unsigned) file X.zip for
a frob.py, frob.pyc, etc
3. [only novelty...] a signed zipfile X.jar -- then import verifies the
signature then if valid proceed as in 2
> > Side question, does module zipfile already have the code to allow
> > reading such signed files?
> I think jar files are just zip files containing an extra file (called
> "manifest") that has signatures in it. So you can import from a jar
> as if it were a zip.
But it might be nice to check signatures automatically if reading such
files is a common task.
More information about the Python-list