would be nice: import from archive
"Martin v. Löwis"
martin at v.loewis.de
Mon Aug 30 02:43:44 EDT 2004
Paul Rubin wrote:
> so you could say
> import x(signed)
> or
> import x(signed, certfile='mycerts.pem')
>
> or whatever.
I believe that import is the wrong point in time for checking
signatures. You want to check the signature when the file is
added to sys.path, i.e.
imp.verify_signature(filename)
sys.path.append(filename)
or
imp.verify_all_signatures(sys.path)
That way, you can guarantee that trusted code is on sys.path
all the time. Then, you can also trust any import statement.
Regards,
Martin
More information about the Python-list
mailing list