1.4 KiB
Aliases: from a local file, kinda like requirements.txt, maps name to hash, either package/module name, or an author/public key name.
This has to be treated specially. If two aliases appear to be the same, but one is fetched a "secure" IPFS hash, it MUST be compared w/ what ever secure hash the two aliases had in common. Otherwise a malicious package could "pretend" that it hash the sha256 that's the same, but provide a bad IPFS hash, and then we'd load the malicous package instead.
Example: from cas.a.jmg.utils import aiter, anext
How to handle inventory? wrapper that keeps track of what hashes got loaded? write out to a mapping file? Or maybe a command given a url or ipfs, generates the necessary aliases + urls for it?
Features: add: file git(?)hub?
This will be needed for cas imported packages that use cas themselves:
Loaders that wish to support resource reading should implement a get_resource_reader(fullname) method as specified by importlib.abc.ResourceReader.
Hash options: urn old ietf draft: https://datatracker.ietf.org/doc/draft-thiemann-hash-urn/ - not up to date hash-uri: https://github.com/hash-uri/hash-uri - this looks best multihash: https://github.com/multiformats/multihash - no URI specification ipfs uri: https://github.com/ipfs/in-web-browsers/blob/master/ADDRESSING.md - not a hash, but useful for IPFS names ni: https://tools.ietf.org/html/rfc6920 - complicated, not well supported