Phillip J. Eby wrote:
At 06:09 PM 8/11/2005 -0500, Ian Bicking wrote:
I think from a make-people-feel-comfortable perspective, it might be better if ez_setup informed the user of what it's doing (installing a build dependency) and get a confirmation. For instance, it can be disconcerting to do something that shouldn't require any privilege (e.g., setup.py --help-commands) and end up triggering something that does require privilege (global installation of a package). Just an "I'm going to do this; OK?" question would be reassuring.
But then, how do you do that in such a way that an automated installation process (other than EasyInstall) won't hang?
I suppose I could have the download function display a message followed by a countdown timer that would allow you to abort by hitting ^C. That way, an unattended process or lazy user (or slow reader :) could just proceed without needing to do anything.
The only problem I see with that is that drawing the user's attention to something that 99% of the time is going to be okay seems like a bad idea. It's like "WARNING: I'm about to do something exactly like what you'd do yourself by hand!"
Hopefully setuptools won't get installed 99% of the time, just once or twice per machine. Because setuptools installation can happen even when nothing installation-related is being requested, it's a bit out of the norm. Hence the confirmation, or at least prominent notification. I also, like most unix users, don't usually start by running a command as root, so ez_setup will fail in that situation. At least by putting up the interactive message it's not going to be as surprising when that happens.
But other layers of consistency are possible. For instance, for a package to be "trusted" by PyPI (on some level), maybe an email confirmation of substantive package updates would be required (like new releases, new versions of files, etc). This is just another consistency check -- make sure that the person on the other end of the registered email address approves what the person with the login account is doing (of course usually those are the same person).
At the very least, sending them emails about stuff that's happening would ensure they find out their account has been hacked. Assuming the address is still valid, of course, which isn't always the case. :(
Until you start getting phishing emails trying to pretend that your account is hacked. Ah, life on the internet... ): -- Ian Bicking / ianb@colorstudy.com / http://blog.ianbicking.org