[tor-bugs] #7642 [Ooni]: Secure download of python package dependencies
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 5 11:46:58 UTC 2012
#7642: Secure download of python package dependencies
-------------------------+--------------------------------------------------
Reporter: hellais | Owner: hellais
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Ooni | Version:
Keywords: ooni_build, | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by hellais):
from #nottor:
06:37 < d1b> best solution for now - is git+https://$repo / git+ssh /
hg+ssh
06:37 < d1b> in requirements.txt imho
06:39 < hellais> d1b: though that would not work with packages that don't
have a git repo, right?
06:40 < hellais> I mean we would have to mirror to a git repo all the
packages we are interested in?
06:40 < d1b> hellais: yeah
06:40 < hellais> ugh
06:40 < d1b> also it works for hg, but hg needs to have https certificates
pointed as well
06:40 < hellais> that seems like a pain
06:40 < d1b> it is only a pain to start with
06:40 < hellais> anyways it's a good idea worth considering
06:43 < hellais> d1b: well it's also a pain to keep it all in sync and up
to date
06:43 < d1b> hmm?
06:43 < d1b> just point it at master ;)
06:43 < hellais> d1b: no, you want to point it to the latest release
06:44 < hellais> but not all depedencies have tags or use the same tags
06:44 < hellais> when a package updates you need to point it to a new tag
06:44 < d1b> yep
06:44 < d1b> or just point it at master - for those who like breakage :-)
06:44 < hellais> and you need to have some update automation scripts that
do that
06:45 < hellais> I don't like breakage
06:45 < hellais> :P
06:45 < d1b> :-)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7642#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list