<div dir="ltr">On Sat, Feb 9, 2013 at 11:28 PM, Jesse Noller <span dir="ltr"><<a href="mailto:jnoller@gmail.com" target="_blank">jnoller@gmail.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Feb 9, 2013, at 6:13 PM, Stephen Thorne <<a href="mailto:stephen@thorne.id.au">stephen@thorne.id.au</a>> wrote:<br>
<br>
> Hello,<br>
><br>
> One of my concerns with the recent pip dramas that have seen some excellent and timely action from catalog-sig and others, is that 'setuptools' is still widely distributed and used instead of distribute/pip.<br>
<br>
</div>Well, lets back up: these aren't pip specific problems: just about every client side tool for installing from pypi suffers from lax security.</blockquote><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">
><br>
> Setuptools either needs to be sunset, notices put on pypi, warnings given to its users, out of linux distros, or it has to upgraded to be feature compatible with the security updates.<br>
><br>
> That's a strong statement I've made, but I feel strongly that something has to be done. I would like to solicit opinions here before an action plan is composed.<br>
<br>
</div>This is a bit of a question mark to me: the reality is that easy_install/setup tools usage is probably still dramatically higher than that of more modern tooling. That, and AFAIK, there are still features of them that the alternatives do not support (binary eggs, which are a must for windows).</blockquote>
<div><br></div><div style>Yikes. This is something I didn't fully understand until now. Our windows users prefer to use setuptools and eggs? That make sense I guess. </div><div> </div><div style>With that in mind, it sounds like we're going to have to push patches into setuptools and make a security patch release...</div>
<div style><br></div><div style>Stephen.</div></div></div></div>