experimental client: download functions review
See original GitHub issueCurrent state of _mirror_target_download() and _mirror_meta_download() in experimental client is a bit bad:
- they are actually iterators that keep returning unverified file objects to the caller, this seems unusual and surprising: I was expecting them to return a verified file object
- caller is expected to verify the contents — this makes some sense as the verification is different for e.g. root metadata and other metadata and targets… but it should be made very clear that the file object is potentially malicious data at this point
- none of the callers currently iterate these function results (they just raise if first result is invalid) so it’s not clear if mirrors actually work
- NoWorkingMirrorError can’t be raised from these iterators like it now happens (on every iteration that fails), it does not make any sense
- _mirror_target_download type annotation is wrong
I would suggest we revert to a known working design if possible (_mirror_target_download()
could just be almost 1:1 the current clients _get_target_file()
function but the metadata verification needs something else).
I’ll try to come up with something…
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (10 by maintainers)
Top Results From Across the Web
Understand experimental, preview, and retired features in ...
Learn about experimental, preview, and retired features. ... Consider using alternatives, and review the timelines as listed in the feature ...
Read more >Experimental construct libraries are now available in AWS ...
The AWS CDK v2 experimental APIs are now available as separate packages, in addition to the existing stable APIs. The AWS Cloud Development ......
Read more >Steam Deck review: Expect an experimental gaming experience
Theoretically, it's a powerful tool that could let you download games beyond your Steam library, including emulators. It's not easy to use ...
Read more >Progress in the experimental and computational methods of ...
The present article reviews the various experimental methods and theoretical models employed for work function measurement along with their merits and ...
Read more >Biases in the Experimental Annotations of Protein Function ...
In this work we analyzed the relative contribution of peer-reviewed articles describing all the experimentally derived annotations in UniProt- ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
By the way, in case I’ve not been clear about this: this is not an issue in how pip is designed, it’s an issue with how pypi hosts its files: One host (pypi.org) serves metadata and targets. These targets contain URLs that pip parses to find more host-URLs: these hosts only serve target files – currently the only host is pythonhosted.org but it could be anything.
Apart from parsing target files to find more hosts, this sounds completely reasonable: assuming that metadata and targets are on the same host (or that targets are all on one host) could be a mistake for TUF.
I don’t think this is a problem TUF should solve at the risk of added complexity, especially if it’s designed for only one use case in mind. Could pip solve that problem on its own?