would be nice: import from archive
Alex Martelli
aleaxit at yahoo.com
Sat Aug 28 04:45:24 EDT 2004
Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote:
> aleaxit at yahoo.com (Alex Martelli) writes:
> > Would it make sense to rely on a naming convention instead?
> > I.e. foo.zip would be unsigned but bar.jar would have to be signed
> > or else no go. This would have the advantage of allowing
> > substantial granularity in controlling this.
>
> I think this is reasonable, except what does the import statement look
> like? Do you say something like "import frob from bar.jar"?
No, you say, as always:
import frob
Importing looks at each item on sys.path, and each item can be:
1. a directory X -- then import looks for X/frob.py or a subdirectory
X/frob/ containing an __init__.py (or in either case .pyc or .pyo)
2. a zipfile X.zip -- then import looks inside (unsigned) file X.zip for
a frob.py, frob.pyc, etc
3. [only novelty...] a signed zipfile X.jar -- then import verifies the
signature then if valid proceed as in 2
> > Side question, does module zipfile already have the code to allow
> > reading such signed files?
>
> I think jar files are just zip files containing an extra file (called
> "manifest") that has signatures in it. So you can import from a jar
> as if it were a zip.
But it might be nice to check signatures automatically if reading such
files is a common task.
Alex
More information about the Python-list
mailing list