[Python-Dev] Status of packaging in 3.3 (original) (raw)
Dag Sverre Seljebotn d.s.seljebotn at astro.uio.no
Fri Jun 22 11:52:44 CEST 2012
- Previous message: [Python-Dev] Status of packaging in 3.3
- Next message: [Python-Dev] Status of packaging in 3.3
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 06/22/2012 11:38 AM, Donald Stufft wrote:
On Friday, June 22, 2012 at 5:22 AM, Dag Sverre Seljebotn wrote:
What Bento does is have one metadata file for the source-package, and another metadata file (manifest) for the built-package. The latter is normally generated by the build process (but follows a standard nevertheless). Then that manifest is used for installation (through several available methods). From what I understand, this dist.(yml|json|ini) would be replacing the mainfest not the bento.info then. When bento builds a package compatible with the proposed format it would instead of generating it's own manifest it would generate the dist.(yml|json|ini).
Well, but I think you need to care about the whole process here.
Focusing only on the "end-user case" and binary installers has the flip side that smuggling in a back door is incredibly easy in compiled binaries. You simply upload a binary that doesn't match the source.
The reason PyPI isn't one big security risk is that packages are built from source, and so you can have some confidence that backdoors would be noticed and highlighted by somebody.
Having a common standards for binary installation phase would be great sure, but security-minded users would still need to build from source in every case (or trust a 3rt party build farm that builds from source). The reason you can trust RPMs at all is because they're built from SRPMs.
Dag
- Previous message: [Python-Dev] Status of packaging in 3.3
- Next message: [Python-Dev] Status of packaging in 3.3
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]