[Pythonmac-SIG] Package Manager idea, adding a URL scheme

Jack Jansen Jack.Jansen at cwi.nl
Thu Oct 9 15:06:43 EDT 2003


On 9-okt-03, at 20:04, Eric Nieuwland wrote:
>> I don't think so: I think MD5 is good enough here. The scapegoat
>> downloaded a specific source distribution and built it without
>> problems. S/he gets the md5 sum of that distribution, puts the URL and
>> md5sum in the database and can be sure that whatever the end user
>> downloads is correct.
>
> OK. I assumed that the scapegoat would like to know for sure where the
> code came from. Otherwise, s/he has to either trust the source and thus
> the developer or review and test every package.

It is *definitely* the intention that the scapegoat reviews and tests 
every
package! That's why s/he is called the scapegoat (and not the "package
collector" or some such): if something is wrong with a package, or if 
there
is unforeseen interaction among packages you're free to blame the 
scapegoat.

The situation is the same as my role for the MacPython core 
distribution:
if there's something wrong you can blame me.

Not that this makes any significant difference in the open source world:
you can blame me all you like but you can't sue me. But the intention is
indeed that the scapegoat tests the packages to approximately the same 
level
as I test MacPython distributions.

But: this is my view on PackMan (have a small number of reasonably well 
tested
packages), Bob's view is pretty different: he uses it mainly to 
distribute
many packages in pre-compiled form, making them available to people 
without
the developer tools, but without much testing done (if I understand 
correctly).

>> And now that I know there is SSL support in MacPython (which very
>> pleasantly surprised me!!)
>> I think we can solve everything except for name server spoofing (by
>> having a wellknown
>> secure-http URL in the distribution, that we use to check MD5 sums).
>
> Now if we could use a fixed IP-address for the next ten years or so, 
> then
> we could by-pass the name server and avoid the spoofing issue.

After thinking about it a bit harder I think it doesn't really make a 
difference:-(

We are going to need digital signatures at some point, so if we're
not going to have them in Python we have to warn users and provide
them with an out-of-band way to test packages.
--
Jack Jansen, <Jack.Jansen at cwi.nl>, http://www.cwi.nl/~jack
If I can't dance I don't want to be part of your revolution -- Emma 
Goldman




More information about the Pythonmac-SIG mailing list