[Pythonmac-SIG] Package Manager idea, adding a URL scheme

Jack Jansen Jack.Jansen at cwi.nl
Thu Oct 9 15:06:43 EDT 2003

On 9-okt-03, at 20:04, Eric Nieuwland wrote:
>> I don't think so: I think MD5 is good enough here. The scapegoat
>> downloaded a specific source distribution and built it without
>> problems. S/he gets the md5 sum of that distribution, puts the URL and
>> md5sum in the database and can be sure that whatever the end user
>> downloads is correct.
> OK. I assumed that the scapegoat would like to know for sure where the
> code came from. Otherwise, s/he has to either trust the source and thus
> the developer or review and test every package.

It is *definitely* the intention that the scapegoat reviews and tests 
package! That's why s/he is called the scapegoat (and not the "package
collector" or some such): if something is wrong with a package, or if 
is unforeseen interaction among packages you're free to blame the 

The situation is the same as my role for the MacPython core 
if there's something wrong you can blame me.

Not that this makes any significant difference in the open source world:
you can blame me all you like but you can't sue me. But the intention is
indeed that the scapegoat tests the packages to approximately the same 
as I test MacPython distributions.

But: this is my view on PackMan (have a small number of reasonably well 
packages), Bob's view is pretty different: he uses it mainly to 
many packages in pre-compiled form, making them available to people 
the developer tools, but without much testing done (if I understand 

>> And now that I know there is SSL support in MacPython (which very
>> pleasantly surprised me!!)
>> I think we can solve everything except for name server spoofing (by
>> having a wellknown
>> secure-http URL in the distribution, that we use to check MD5 sums).
> Now if we could use a fixed IP-address for the next ten years or so, 
> then
> we could by-pass the name server and avoid the spoofing issue.

After thinking about it a bit harder I think it doesn't really make a 

We are going to need digital signatures at some point, so if we're
not going to have them in Python we have to warn users and provide
them with an out-of-band way to test packages.
Jack Jansen, <Jack.Jansen at cwi.nl>, http://www.cwi.nl/~jack
If I can't dance I don't want to be part of your revolution -- Emma 

More information about the Pythonmac-SIG mailing list