would be nice: import from archive
Alex Martelli
aleaxit at yahoo.com
Sat Aug 28 04:45:25 EDT 2004
Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote:
> Paul Rubin <http://phr.cx@NOSPAM.invalid> writes:
> > > Side question, does module zipfile already have the code to allow
> > > reading such signed files?
> >
> > I think jar files are just zip files containing an extra file (called
> > "manifest") that has signatures in it. So you can import from a jar
> > as if it were a zip.
>
> But to add to that, if module zipfile is going to eventually expect
> jar files to be signed, the first patch needed is that if it doesn't
> have code to actually check the signatures, it should refuse to load
> jar files.
Presumably that would be an optional argument on the ZipFile constructor
specifying what to do about signatures -- defaulting to 'ignore' for
backwards compatibility, I guess, but possibly 'strict' or 'optional' or
something.
>
> I guess I better check into what Java does about this. It's been a
> while since I've used Java, but I seem to remember that signing is not
> mandatory.
OK, but it might make for a nice optional feature anyway.
Alex
More information about the Python-list
mailing list