would be nice: import from archive

Alex Martelli aleaxit at yahoo.com
Sat Aug 28 09:43:55 CEST 2004

Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote:

> aleaxit at yahoo.com (Alex Martelli) writes:
> > While the overall way the new import hooks work is well documented in
> > their PEP, zipimport is admittedly underdocumented.  I suggest peeking
> OK.  I'll look at the PEP.  I think adding signing is hairy enough
> that it should have its own round of discussion; should I see about
> editing the PEP to add something about signing?

I think that would be an excellent idea.  If it was just about allowing
import from signed zipfiles it might not be needed, but how best to let
the user optionally DIS-allow imports from UN-signed files does appear
to be something requiring a little debate.  An environment variable
would have the advantage of letting the disallowing work even for the
early imports that Python does before application code gets control, but
some people dislike relying on environment variables particularly for
security-related configuration tasks.  Would it make sense to rely on a
naming convention instead?  I.e. foo.zip would be unsigned but bar.jar
would have to be signed or else no go.  This would have the advantage of
allowing substantial granularity in controlling this.

Side question, does module zipfile already have the code to allow
reading such signed files?  Otherwise a first, uncontentious step, in
parallel with the PEP, might be a patch to add that ability to zipfile.


More information about the Python-list mailing list