On 21 October 2017 at 06:50, Daniel Holth <dholth@gmail.com> wrote:

I like the idea of lifecycle hooks but I worry about the malware problem; would there need to be a blacklist / whitelist / disable system? (ignore-scripts=true is now a recommended part of anyone's npm configuration) That is why we have avoided any kind of (package specific) hooks to wheel. However hooks would be a very elegant way to avoid worrying about core pip functionality since it wouldn't be core functionality.

Yeah, here's the gist of what I had in mind regarding the malware problem (i.e. aiming to ensure we don't get all of setup.py's problems back again):

- a package's own install hooks do *not* get called for that package

- hooks only run by default inside a virtualenv as a regular user

- outside a virtualenv, the default is "hooks don't get run at all"

- when running with elevated privileges, the default is "hooks don't get run at all"

There are still some open questions with it (like what to do with hooks defined in packages that get implicitly coinstalled as a dependency), and having the default behaviour depend on both "venv or not" and "superuser or not" may prove confusing, but it would avoid a number of the things we dislike about install-time setup.py invocation.

Cheers,

Nick.

Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia