From: Philippe Ombredanne <pombredanne@nexb.com>
On the other hand, I find it somewhat discomforting as an emerging best way to package and distribute self-contained bootstrap scripts.
But what is the root cause of that discomfort? The distil approach is slightly more discoverable than a pure zip would be, but for the security conscious all the code is there and available for inspection (unlike installing a distribution directly from PyPI, which will pull you-know-not-what from the network).
Virtualenv does it, distil is doing it now, pip tried some of it here https://github.com/pypa/pip/blob/develop/contrib/get-pip.py In contrast, buildout, distribute and setuptools bootstrap scripts do not embed their dependencies and either try to get them satisfied locally or attempt to download the requirements.
And all this time, they would have been vulnerable to a MITM attack on PyPI because PyPI didn't support verifiable SSL connections until recently. It's good to be cautious, but Bruce Schneier has plenty of stories about caution directed in the wrong directions.
Having some support to do self-contained bootstrap scripts (as in requiring no network access and embedding all their dependencies) using this shar style could be something to consider normalizing?
It seems like a decision for individual developers or developer teams to make on a case-by-case basis - it doesn't seem like something that needs to be "officially" encouraged or discouraged. Regards, Vinay Sajip