[Catalog-sig] Proposal: close the PyPI file-replacement loophole
PJ Eby
pje at telecommunity.com
Wed Feb 1 23:57:08 CET 2012
On Wed, Feb 1, 2012 at 6:06 AM, Yuval Greenfield <ubershmekel at gmail.com>wrote:
> Does the setup.py/cfg allow me to require a specific hash on SQLAlchemy
> when automatically resolving dependencies in pip/easy_install?
>
Yes, at least for easy_install. You tack on #md5=.... to your find_links
URLs, and specify an exact version. easy_install will refuse to install
them if the MD5 doesn't match. (This will work better for source packages
than binaries, of course, since you'd only need to include one link and MD5
signature in that case.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120201/9816092e/attachment.html>
More information about the Catalog-SIG
mailing list