I like the idea of lifecycle hooks but I worry about the malware problem; would there need to be a blacklist / whitelist / disable system? (ignore-scripts=true is now a recommended part of anyone's npm configuration) That is why we have avoided any kind of (package specific) hooks to wheel. However hooks would be a very elegant way to avoid worrying about core pip functionality since it wouldn't be core functionality.
On Fri, Oct 20, 2017 at 4:41 PM Nathaniel Smith email@example.com wrote:
On Oct 19, 2017 11:10, "Donald Stufft" firstname.lastname@example.org wrote:
EXCEPT, for the fact that with the desire to cache things, it would be beneficial to “hook” into the lifecycle of a package install. However I know that there are other plugin systems out there that would like to also be able to do that (Twisted Plugins come to mind) and that I think outside of plugin systems, such a mechanism is likely to be useful in general for other cases.
So heres a different idea that is a bit more ambitious but that I think is a better overall idea. Let entrypoints be a setuptools thing, and lets define some key lifecycle hooks during the installation of a package and some mechanism in the metadata to let other tools subscribe to those hooks. Then a caching layer could be written for setuptools entrypoints to make that faster without requiring standardization, but also a whole new, better plugin system could to, Twisted plugins could benefit, etc .
In this hypothetical system, how do installers like pip find the list of hooks to call? By looking up an entrypoint? (Sorry if this was discussed downthread; I didn't see it but I admit I only skimmed.)
Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig