Title: Add support for PEP 381 Mirror Authenticity
Type: enhancement Stage: resolved
Components: Distutils2 Versions: Python 3.3
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: alexis, asdfasdfasdfasdfasdfasdfasdf, eric.araujo, intgr, kelsey.hightower, tarek
Priority: normal Keywords: patch

Created on 2011-03-01 03:06 by kelsey.hightower, last changed 2013-11-22 21:03 by eric.araujo. This issue is now closed.

File name Uploaded Description Edit
mirror-authenticity.patch kelsey.hightower, 2011-03-01 03:28 Adding support for PEP 381 Mirror Authenticity
mirror-authenticity-updated.patch kelsey.hightower, 2011-03-04 04:06 Fixes based on feedback from Alexis and Antoine Pitrou
Messages (7)
msg129736 - (view) Author: Kelsey (kelsey.hightower) Date: 2011-03-01 03:06
Distutils2 should provide support for verifying a mirrors authenticity as described in PEP 381 -- Mirror Authenticity.
msg129737 - (view) Author: Kelsey (kelsey.hightower) Date: 2011-03-01 03:13
I have started on an implementation in my distutil2 patch-queue on bitbucket.

Link to code, tests, and documentation:

Outstanding items include back porting the SSL module for python < 2.6 support and making sure all test pass on python >= 2.4
msg129783 - (view) Author: Alexis Metaireau (alexis) * (Python triager) Date: 2011-03-01 15:12
Some nitpicks:

In mirrors.get_server_key, the documentation is not up to date with your last changes (raises an error if there is a problem instead of returning None)

You do use the name 'package' while talking about distributions or projects. Please be sure to use the right one on the right place (in your case, that's a project). A project (Django) contains releases (Django 1.1, 1.2, 1.3?) which contains distributions (sdist, bdist).

The "verify_package" name could probably be changed in "is_trustable" or something like that, or raise an error (Otherwise, one can use verify_package thinking that it will actually check for something, without looking at the return value).

In the documentation, you've mainly copy/pasted the PEP and provided examples on how to do the authenticity check with distutils2. 

While the second part is fine, I think that duplicating the PEP content on the documentation is probably an error: If the PEP changes, then the distutils2 documentation have to change as well. You probably can just refer on the PEP with a link.

Adding informations on where did you find the sources of could be nice as well.

Again, thanks for your work !
msg129784 - (view) Author: Alexis Metaireau (alexis) * (Python triager) Date: 2011-03-01 15:44
Antoine Pitrou on #python-dev made interesting remarks about the validation:

16:19 < __ap__> hmm the way the patch does validation is bogus
16:22 < __ap__> because it opens the URL a first time, validates it,
then opens it a second time with urlopen()
16:22 < __ap__> without verifying the certificate on the second time
16:23 < __ap__> it should do the validation directly with urlopen()
16:23 < __ap__> (which probably requires defining a custom HTTPSHandler)
msg129785 - (view) Author: Kelsey (kelsey.hightower) Date: 2011-03-01 16:19
Thanks for the feedback! I agree with the issues raised and will rework the patch to address them.
msg130019 - (view) Author: Kelsey (kelsey.hightower) Date: 2011-03-04 04:06
Based on the feedback I have updated my patch, please review.

An updated patch attached. Link to my distutils2 mq below:
msg203876 - (view) Author: √Čric Araujo (eric.araujo) * (Python committer) Date: 2013-11-22 21:03
Mirroring protocol is deprecated.
Date User Action Args
2013-11-22 21:03:35eric.araujosetstatus: open -> closed
messages: + msg203876

assignee: tarek ->
resolution: out of date
stage: resolved
2011-09-19 12:49:09intgrsetnosy: + intgr
2011-08-08 13:10:12asdfasdfasdfasdfasdfasdfasdfsetnosy: + asdfasdfasdfasdfasdfasdfasdf
2011-06-03 15:33:52eric.araujosettitle: Add support for PEP 381 -- Mirror Authenticity -> Add support for PEP 381 Mirror Authenticity
versions: + Python 3.3, - 3rd party
2011-06-01 06:25:42terry.reedysetversions: - Python 2.6, Python 2.5, Python 3.1, Python 2.7, Python 3.2, Python 3.3
2011-03-04 04:06:53kelsey.hightowersetfiles: + mirror-authenticity-updated.patch
nosy: tarek, eric.araujo, alexis, kelsey.hightower
messages: + msg130019
2011-03-01 16:19:33kelsey.hightowersetnosy: tarek, eric.araujo, alexis, kelsey.hightower
messages: + msg129785
2011-03-01 15:44:58alexissetnosy: tarek, eric.araujo, alexis, kelsey.hightower
messages: + msg129784
2011-03-01 15:12:47alexissetnosy: tarek, eric.araujo, alexis, kelsey.hightower
messages: + msg129783
2011-03-01 03:29:00kelsey.hightowersetfiles: + mirror-authenticity.patch
nosy: tarek, eric.araujo, alexis, kelsey.hightower
keywords: + patch
2011-03-01 03:13:13kelsey.hightowersetnosy: tarek, eric.araujo, alexis, kelsey.hightower
messages: + msg129737
2011-03-01 03:06:34kelsey.hightowercreate