Issue 14280: packaging.pypi should not require checksums (original) (raw)

Created on 2012-03-13 00:40 by j1m, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (5)
msg155542 - (view)	Author: Jim Fulton (j1m) *	Date: 2012-03-13 00:40
Requiring md5s makes it hard to implement simple indexes with simple web servers, where simple indexes include flat directories of distributions.
msg155544 - (view)	Author: Éric Araujo (eric.araujo) *	Date: 2012-03-13 00:42
I’m not sure that this report should not be merged with #14279, but Alexis will judge that.
msg155906 - (view)	Author: Alexis Metaireau (alexis) *	Date: 2012-03-15 16:33
If no MD5 checksum is present on the crawled simple index, then we don't have to check them. This means we introduce a potential security hole here (md5 checksums were added for a reason). What could be done is to explicitely don't check them if asked so. For instance using a --no-checksum flag when running pysetup, or passing a no_checksum argument when using the crawler. Would that work for you? Éric, this is a different issue than the one you pointed out in the sence that one is for local files and the other is for remote indexes. (Of course, local files, will not need checksums as well).
msg155925 - (view)	Author: Jim Fulton (j1m) *	Date: 2012-03-15 18:17
I just clarified that 14279 doesn't imply local files. I'd be fine with a warning about lack of checksums for downloads.
msg155959 - (view)	Author: Alexis Metaireau (alexis) *	Date: 2012-03-15 21:36
Right, I'll go for this then.