On Mon, Oct 13, 2014 at 12:00 +0100, Paul Moore wrote:
On 13 October 2014 11:40, holger krekel <holger@merlinux.eu> wrote:
and I just noted that the very Python guide on packaging is advertising using plain --extra-index-url for private packages as well:
http://docs.python-guide.org/en/latest/shipping/packaging/#personal-pypi
I can see your point here (I'm not sure I agree with it, but that's a separate issue).
Sorry but what is there to agree or discuss? If recommending --extra-index-url for private packages does not come with a big fat warning that you need to publically register the name with PyPI, it exposes users to direct compromise of their machine, plain and simple. best, holger
If you want to propose a patch for the packaging user guide, we can discuss it there.
and, besides the need for fixing the various discussions/pages, i think that PEP470 should contribute to a more careful discussion of the feature (it's fine for the actual external linking to existing pypi projects usecase, mind you).
So if I read you correctly, you're saying that the PEP 470 usage of --extra-index-url is fine. That's good.
I don't think it's the place of PEP 470 to discuss *other* uses of --extra-index-url. Having an example in there seemed fine to me, but if it brings up issues unrelated to the PEP then I think it's a distraction and should be removed. And I believe that's what has happened. So again, that's good.
And i guess pip should have a warning note in the option help to help educating users.
Again, not for the PEP, but feel free to raise a PR for pip (but once again, I reserve the right to disagree with that PR when it's raised :-)).
Paul