Re: [Python-Dev] Status of packaging in 3.3

On 06/22/2012 11:38 AM, Donald Stufft wrote:
> On Friday, June 22, 2012 at 5:22 AM, Dag Sverre Seljebotn wrote:>>>> What Bento does is have one metadata file for the source-package, and>> another metadata file (manifest) for the built-package. The latter is>> normally generated by the build process (but follows a standard>> nevertheless). Then that manifest is used for installation (through>> several available methods).>  From what I understand, this dist.(yml|json|ini) would be replacing the> mainfest not the bento.info then. When bento builds a package compatible> with the proposed format it would instead of generating it's own manifest> it would generate the dist.(yml|json|ini).

Well, but I think you need to care about the whole process here.

Focusing only on the "end-user case" and binary installers has the flip 
side that smuggling in a back door is incredibly easy in compiled 
binaries. You simply upload a binary that doesn't match the source.

The reason PyPI isn't one big security risk is that packages are built 
from source, and so you can have some confidence that backdoors would be 
noticed and highlighted by somebody.

Having a common standards for binary installation phase would be great 
sure, but security-minded users would still need to build from source in 
every case (or trust a 3rt party build farm that builds from source). 
The reason you can trust RPMs at all is because they're built from SRPMs.

Dag
_______________________________________________
Python-Dev mailing list
Pyth...@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/python-dev-ml%40activestate.com