-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: METADATA file should be the last file within a wheel and should be uncompressed #397
Comments
I am sorry if I sound offensive, but You could save code defining something like this x = y = z = "same", or a, b, c = 5, 3.2, "Hello". Example: archive: zipfile.ZipFile, fileInfo: zipfile.ZipInfo, newContent: typing.Union[bytes, bytearray, "mmap.mmap"] Then after that: print(zipfile1, zipinfo1, newcontent1) Defining the variables in a row, and reuse them. Printing that would do it. |
You don't sound offensive. But
|
The wheel standard (PEP 427) recommends that Please also note that while this is the reference implementation of the standard, it's probably not the only one (I think one or two packaging tools roll their own wheels). Thus you would not be able to fully rely on the ability to do this.
This is a proposal to change the wheel standard and thus does not belong on this bug tracker. If you feel there is enough justification to do this (and thus breaking wheels for all current tools), please make your proposal on the packaging section of discuss.python.org. |
I want to point out if you edit |
Thanks! I have forgotten about it.
Or just kept uncompressed. Then the hash can be replaced in place, so it can be placed before metadata. But compression of that file makes sense, and I know how it can be solved. We can replace this file with a binary one storing a trie. In KS notation it is a kind of seq:
- id: hash_function
type: u1
enum: hash_function
- id: compression_type
type: u1
enum: compression_type
doc: It is proposed to use `lzma2` for a compression (brotli gives better, but not in standard lib). Compressions used must satisfy the property of being streaming, compressions of 2 strings having a common prefix must have the prefix that corresponds to the uncompressed prefix.
- id: dictionary_size
type: u4
- id: dictionary
size: dictionary_size
doc: An opaque blob storing a dictionary for a compression lib. Can be empty if the algo or an impl doesn't support it.
- id: trie_type
type: u1
enum: trie_type
- id: trie
size-eos: true
doc: contains a serialized trie, with stripped signatures, mapping compressed filenames to their hashes. Creation:
Enumeration: Just walk the trie and decompress the keys. Straightforward and extensible.
How about a PEP and python-ideas? |
This is however a big idea, and one I think should be implemented. Exactly to double-check, with sha25sum can be done, or sha1sum. If it is one it matches if it is not then it shall not be even taken in count. But definetely keeping in count security. I will come up with something too. |
What does it have to do with security? |
Remember that a package zipped should have a hash for fact-checking, that You are getting the real package. |
That hash has to come from a secure location though because otherwise the hash could be falsified too. And any changes to the zip would change the hash too. |
The file with hashes can be gpg-signed though. But signing-related issues are IMHO offtop here. |
Yes, You are right on this one. |
yes you are riht on this one.the file with hashes can be gp-signed though.But signing issues are IMHO offtop here.Yes You are right in this one.is the main circuit intials of the file in it.as mentioned above in the circuit and also mentioned in the given targated in an as follows to it for thew given time. |
Rationale:
wheel
s usezip
archives. Zip archives don't allow gaps. It is a practically needed thing to edit wheels metadata. It can be done 3 ways:before
is kept intact, then file is appended, thenafter
part. Plus recomputation of the index. Closer the file being modified to the end - more we can keep intact. IfMETADATA
file is the last one, then we only need to recompute the index.So I propose:
About long description ... it may make sense to move it into an own file.
The text was updated successfully, but these errors were encountered: