<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Apr 15, 2015 at 2:23 PM, Paul Moore <span dir="ltr"><<a href="mailto:p.f.moore@gmail.com" target="_blank">p.f.moore@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">In the PEP, there's a concept of "optional" vs "required" extensions.<br>
See <a href="https://www.python.org/dev/peps/pep-0426/#required-extension-handling" target="_blank">https://www.python.org/dev/peps/pep-0426/#required-extension-handling</a>.<br>
This is crucial - I've no problem if a particular extension is used by<br>
a project, as long as it's optional. I won't install it, so it's fine.<br>
It seems to me that pip *has* to ignore missing optional extensions,<br>
for this reason. Of course, that introduces the converse problem,<br>
which is how would people who might want that extension to be<br>
activated, know that a project used it?<br></blockquote><div><br></div><div>Exactly -- we do want "pip install" to just work...</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> But I worry that some people may have a more liberal definition<br>
of "required" than I do.</blockquote><div><br></div><div>They probably do -- if they want things to "just work"</div><div><br></div><div>We have the same problem with optional dependencies.</div><div><br></div><div>For instance, for iPython to work, you don't need much. but if you want the ipython notebook to work, you need tornado, zeromq, who knows what else. But people want it to just work -- and just work be default, so you want all that optional stuff to go in by default.</div><div><br></div><div>I expect this is the same with wheel installer extensions. To use your example, for instance. People want to do:</div><div><br></div><div>pip install sphinx</div><div><br></div><div>and then have the <span style="color:rgb(0,0,0);font-family:Consolas,'DejaVu Sans Mono','Bitstream Vera Sans Mono',monospace;font-size:13px;letter-spacing:0.015em;line-height:15.6000003814697px;background-color:rgb(248,248,248)">sphinx-quickstart </span>utility ready to go. by default. So scripts need to be installed by default.</div><div><br></div><div>The trade-off between convenience and control/security is tough.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Based on the above, it's possibly valid to allow "required" extensions<br>
to be auto-installed. It *is* a vector for unexpected code execution,<br>
but maybe that's OK.<br></blockquote><div><br></div><div>If even required extensions aren't auto installed, then we can just toss out the whole idea of automatic dependency management. (which I personally wouldn't mind, actually, but I'm weird that way)</div><div><br></div><div>But maybe we need some "real" use cases to talk about -- I agree with others in this thread that the Start menu isn't a good example.</div><div><br></div><div>-Chris</div><div><br></div><div><br></div><div><br></div><div><br></div></div>-- <br><div><br>Christopher Barker, Ph.D.<br>Oceanographer<br><br>Emergency Response Division<br>NOAA/NOS/OR&R <a href="tel:%28206%29%20526-6959" value="+12065266959" target="_blank">(206) 526-6959</a> voice<br>7600 Sand Point Way NE <a href="tel:%28206%29%20526-6329" value="+12065266329" target="_blank">(206) 526-6329</a> fax<br>Seattle, WA 98115 <a href="tel:%28206%29%20526-6317" value="+12065266317" target="_blank">(206) 526-6317</a> main reception<br><br><a href="mailto:Chris.Barker@noaa.gov" target="_blank">Chris.Barker@noaa.gov</a></div>
</div></div>