On May 8, 2014, at 11:37 AM, M.-A. Lemburg mal@egenix.com wrote:
On 08.05.2014 16:42, M.-A. Lemburg wrote:
On 08.05.2014 15:58, Donald Stufft wrote:
On May 8, 2014, at 9:39 AM, M.-A. Lemburg mal@egenix.com wrote:
Well, to be fair and leaving aside uptime concerns and the general desire to always install packages from some server instead of a safe and trusted local directory (probably too obvious ;-), it would certainly be possible to add support for trusted externally hosted packages.
There is support for trusted externally hosted packages, you put the URL in PyPI and include a hash in the fragment like so:
http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=...
The hash can be md5 or any of the sha-2 family.
Now this does not mean that pip install cdecimal will automatically
install
this, because whether or not you're willing to install from servers other than
PyPI[1] is a policy decision for the end user of pip.
Hmm, if you call that feature "trusted externally hosted packages", pip should really do trust them, right ? ;-)
I can understand that pip defaults to not trusting URLs which don't meet the above feature requirements, but not that it still warns about unreliable externally hosted packages even if the above feature is used.
At the moment, pip will refuse to use an externally hosted files even if the package author uses the above hashed URLs; even with HTTPS and proper SSL certificate chain.
Could this perhaps be changed/reconsidered for pip ?
Note that easy_install/setuptools does not have such problems.
Anything can be changes or reconsidered of course. I feel pretty strongly that an installer should not install things from places other than the index without a specific opt in. That discussion would be best done on distutils-sig as it would require reversing the decision in PEP438.
I really don't feel strongly one way or the other about the warning that happens when you allow an external file. It exists primarily because at the time it was implemented external files were default to allowed.
Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA