On 8/11/05, Phillip J. Eby
And without those signatures, your hand-installation procedure provides you with *zero* additional security unless you're personally inspecting every single line of code you install. Heck, you're running downloaded .exe files with unsigned code, for heaven's sake! And you're worried because ez_setup downloads the setuptools egg? Crikey. :)
Told you I'm not security-conscious (hey, I'm not conscious most of the time! :-)) I'm a naive user who knows the Internet's a scary place, but doesn't really think people are going to bother mocking up a website just to pick on users of Python's PIL module. So if I go to the website and *see* that it looks OK, I trust it. But ez_setup just went off and got something, from somewhere. I never saw the page with the link on it, so what if the link ez_setup used was wrong? I never got to see a nice reassuring webpage with Fredrik's name on it, so how can I be sure I got the right place? I'm not *actually* that naive, but I do tend to prefer to be very "manual" when I interact with the internet, just because I trust myself (probably incorrectly!) more than I trust an automated program... OK, I retract the suggestion that no download be the default, but I'd still like a "manual download" option, which doesn't grab stuff automatically. After all, ez_setup has the option to go to a local cache (I can't recall how it works, but I know you mentioned it before). Why can't I say that I trust the cache (it's been vetted, virus scanned, whatever) so use that, but *don't* go elsewhere? Then I download what I think I need, do the install, and get messages reporting any eggs I missed. I grab those, vet them, and try again. Repeat as needed.... Paul.