md5 validation error

Create issue
Issue #163 resolved
Christophe Combelles created an issue

{{{ virtualenv --no-site-packages --distribute sandbox sandbox/bin/easy_install Products.ClockServer (...) error: MD5 validation failed ... }}}

There is a MD5 error, however the MD5 on the PyPI page is correct. The first link in the simple index is correct as well. However, Distribute insists on using a download link from another page : On this other page, the md5 is not correct.

Expected behaviour : Distribute should use the main link from PyPI, and not an external (possibly old) link.

I've investigated a bit and I've found two problems:

1) in setuptools.package_index.process_url : self.process_index is run first. This causes external links to be selected first.

To fix this problem, I've tried to move the self.process_url recursion before self.process_index, so that PyPI links are selected first. But it has no effect because of 2) (see below).

2) in pkg_resources.Environment.getitem, the self._cache is sorted with _sort_dists. I believe there should not be any sorting there, so that the initial link order is respected. There is another _sort_dists in Environment.add, I'm not sure it is useful.

Actually, the link with the wrong MD5 should not be added to the Environment, since it already exists. The full link is not the same but comparison should be done without the MD5 part.

Comments (8)

  1. Christophe Combelles reporter

    fixed here

    I've changed the test to be as close as possible to the observed issue :

    The external link had two reasons to be used in the first place : external pages are scanned first, and the links were compared alphabetically including md5.

    The fix consists in : - scanning index links first. (not external links) - don't include the md5 when comparing distributions.

  2. Log in to comment