[Distutils] zc.buildout: new option for requiring MD5 sums for downloads

Fri Mar 11 16:15:09 CET 2011

"Filip M. Noetzel" <filip at j03.de> schrieb:

> (I'm replying out of band, [...]

I hope you don't mind if I send a copy of my reply back to the list,
though.

> I think wrote what you are describing in your post a few months ago:
> 
> http://pypi.python.org/pypi/buildout-md5sums (Source at https://github.com/peritus/buildout-md5sums )

It has a very similar purpose indeed. Nice to see that this is
something I'm not the only one to want to have. Thank you for pointing
it out!

> I'd love feedback on it (I use it on a day-to-day basis for my buildouts, but don't know other users).

The problems I see with your approach:

- Patching the download API is technically less than optimal.

- Anchoring MD5 enforcement that deeply within the mechanics means that
  client code cannot decide whether its associated configuration needs
  to honour the allow-picked-downloads flag. I'm not sure whether
  that's a good thing or bad - that's part of what I'm hoping to
  discuss. I could imagine that one wants to enforce checksums for,
  e.g., source packages downloaded by a cmmi recipe while avoiding them
  for base configuration files downloaded by buildout itself.

- As a less technical aspect, you might want to consider a more serious
  licence for your package if you hope for more wide-spread use.

Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20110311/f83f6c5d/attachment.pgp>