[Python-Dev] Status of packaging in 3.3
Dag Sverre Seljebotn
d.s.seljebotn at astro.uio.no
Fri Jun 22 11:52:44 CEST 2012
On 06/22/2012 11:38 AM, Donald Stufft wrote:
> On Friday, June 22, 2012 at 5:22 AM, Dag Sverre Seljebotn wrote:
>>
>> What Bento does is have one metadata file for the source-package, and
>> another metadata file (manifest) for the built-package. The latter is
>> normally generated by the build process (but follows a standard
>> nevertheless). Then that manifest is used for installation (through
>> several available methods).
> From what I understand, this dist.(yml|json|ini) would be replacing the
> mainfest not the bento.info then. When bento builds a package compatible
> with the proposed format it would instead of generating it's own manifest
> it would generate the dist.(yml|json|ini).
Well, but I think you need to care about the whole process here.
Focusing only on the "end-user case" and binary installers has the flip
side that smuggling in a back door is incredibly easy in compiled
binaries. You simply upload a binary that doesn't match the source.
The reason PyPI isn't one big security risk is that packages are built
from source, and so you can have some confidence that backdoors would be
noticed and highlighted by somebody.
Having a common standards for binary installation phase would be great
sure, but security-minded users would still need to build from source in
every case (or trust a 3rt party build farm that builds from source).
The reason you can trust RPMs at all is because they're built from SRPMs.
Dag
More information about the Python-Dev
mailing list