[Pythonmac-SIG] Package Manager idea, adding a URL scheme
Jack.Jansen at cwi.nl
Thu Oct 9 15:06:43 EDT 2003
On 9-okt-03, at 20:04, Eric Nieuwland wrote:
>> I don't think so: I think MD5 is good enough here. The scapegoat
>> downloaded a specific source distribution and built it without
>> problems. S/he gets the md5 sum of that distribution, puts the URL and
>> md5sum in the database and can be sure that whatever the end user
>> downloads is correct.
> OK. I assumed that the scapegoat would like to know for sure where the
> code came from. Otherwise, s/he has to either trust the source and thus
> the developer or review and test every package.
It is *definitely* the intention that the scapegoat reviews and tests
package! That's why s/he is called the scapegoat (and not the "package
collector" or some such): if something is wrong with a package, or if
is unforeseen interaction among packages you're free to blame the
The situation is the same as my role for the MacPython core
if there's something wrong you can blame me.
Not that this makes any significant difference in the open source world:
you can blame me all you like but you can't sue me. But the intention is
indeed that the scapegoat tests the packages to approximately the same
as I test MacPython distributions.
But: this is my view on PackMan (have a small number of reasonably well
packages), Bob's view is pretty different: he uses it mainly to
many packages in pre-compiled form, making them available to people
the developer tools, but without much testing done (if I understand
>> And now that I know there is SSL support in MacPython (which very
>> pleasantly surprised me!!)
>> I think we can solve everything except for name server spoofing (by
>> having a wellknown
>> secure-http URL in the distribution, that we use to check MD5 sums).
> Now if we could use a fixed IP-address for the next ten years or so,
> we could by-pass the name server and avoid the spoofing issue.
After thinking about it a bit harder I think it doesn't really make a
We are going to need digital signatures at some point, so if we're
not going to have them in Python we have to warn users and provide
them with an out-of-band way to test packages.
Jack Jansen, <Jack.Jansen at cwi.nl>, http://www.cwi.nl/~jack
If I can't dance I don't want to be part of your revolution -- Emma
More information about the Pythonmac-SIG