[Distutils] zc.buildout: new option for requiring MD5 sums for downloads
Thomas Lotze
thomas at thomas-lotze.de
Fri Mar 11 16:15:09 CET 2011
"Filip M. Noetzel" <filip at j03.de> schrieb:
> (I'm replying out of band, [...]
I hope you don't mind if I send a copy of my reply back to the list,
though.
> I think wrote what you are describing in your post a few months ago:
>
> http://pypi.python.org/pypi/buildout-md5sums (Source at https://github.com/peritus/buildout-md5sums )
It has a very similar purpose indeed. Nice to see that this is
something I'm not the only one to want to have. Thank you for pointing
it out!
> I'd love feedback on it (I use it on a day-to-day basis for my buildouts, but don't know other users).
The problems I see with your approach:
- Patching the download API is technically less than optimal.
- Anchoring MD5 enforcement that deeply within the mechanics means that
client code cannot decide whether its associated configuration needs
to honour the allow-picked-downloads flag. I'm not sure whether
that's a good thing or bad - that's part of what I'm hoping to
discuss. I could imagine that one wants to enforce checksums for,
e.g., source packages downloaded by a cmmi recipe while avoiding them
for base configuration files downloaded by buildout itself.
- As a less technical aspect, you might want to consider a more serious
licence for your package if you hope for more wide-spread use.
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20110311/f83f6c5d/attachment.pgp>
More information about the Distutils-SIG
mailing list