This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: packaging.pypi should not require checksums
Type: Stage: resolved
Components: Distutils2 Versions: Python 3.3, 3rd party
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: alexis Nosy List: alexis, eric.araujo, j1m, tarek
Priority: normal Keywords:

Created on 2012-03-13 00:40 by j1m, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (5)
msg155542 - (view) Author: Jim Fulton (j1m) * (Python committer) Date: 2012-03-13 00:40
Requiring md5s makes it hard to implement simple indexes with simple web servers, where simple indexes include flat directories of distributions.
msg155544 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2012-03-13 00:42
I’m not sure that this report should not be merged with #14279, but Alexis will judge that.
msg155906 - (view) Author: Alexis Metaireau (alexis) * (Python triager) Date: 2012-03-15 16:33
If no MD5 checksum is present on the crawled simple index, then we don't have to check them. This means we introduce a potential security hole here (md5 checksums were added for a reason).

What could be done is to explicitely don't check them if asked so. For instance using a --no-checksum flag when running pysetup, or passing a no_checksum argument when using the crawler.

Would that work for you?

Éric, this is a different issue than the one you pointed out in the sence that one is for local files and the other is for remote indexes. (Of course, local files, will not need checksums as well).
msg155925 - (view) Author: Jim Fulton (j1m) * (Python committer) Date: 2012-03-15 18:17
I just clarified that 14279 doesn't imply local files.

I'd be fine with a warning about lack of checksums for downloads.
msg155959 - (view) Author: Alexis Metaireau (alexis) * (Python triager) Date: 2012-03-15 21:36
Right, I'll go for this then.
History
Date User Action Args
2022-04-11 14:57:27adminsetgithub: 58488
2014-03-13 02:28:02eric.araujosetstatus: open -> closed
resolution: out of date
stage: resolved
2012-03-15 21:36:32alexissetmessages: + msg155959
2012-03-15 18:17:53j1msetmessages: + msg155925
2012-03-15 16:33:13alexissetmessages: + msg155906
2012-03-13 00:42:20eric.araujosetassignee: eric.araujo -> alexis
title: simple indexes (in wrappers) should not require md5 hashes -> packaging.pypi should not require checksums
messages: + msg155544
versions: + 3rd party, Python 3.3
2012-03-13 00:40:34j1mcreate