
On 21 September 2016 at 06:59, Chris Angelico <rosuav@gmail.com> wrote:
On Wed, Sep 21, 2016 at 4:58 AM, אלעזר <elazarg@gmail.com> wrote:
I think that combining user convenience and security considerations, there should be some way to invoke a GUI version of pip with flashing screen asking for permissions to install the library. In situations where interaction with the user is not trivial (i.e. when you don't have GUI accessible) we can assume that the user is knowledgeable enough to install the dependencies by herself. The import statement will be self explanatory in this case.
There have been talks of linking pip with Idle, which might do what you want. I don't know how that has progressed, but it'd be something to look into.
The issue for that is here: http://bugs.python.org/issue27051 It turns out the fact IDLE is sometimes used to teach *complete* novices creates a problem for that concept, as learning to safely navigate the free-for-all that is PyPI is actually a pretty advanced development skill vs using a more curated collection like a Linux distro or conda (where there are entities behind them that promise that the code you download will be both non-hostile and at least arguably useful, as opposed to PyPI where the only promise we make is "the code you download will be the code the publisher uploaded" without any attestation, good or otherwise, regarding the trustworthiness of the publisher). A whitelist where we pre-approve a bunch of known-safe components (perhaps even populated automatically from the conda ecosystem) might resolve that, but we really do need some form of curation if we're proposing to offer this as a default capability to learners that aren't even familar with their system command line yet. There's also an open issue at https://github.com/pypa/python-packaging-user-guide/issues/267 regarding improving the documentation on packaging.python.org that points folks towards the various bundling utilities that can given them installers and self-contained scripts for execution on end user systems. In that domain, a potentially useful addition would be a clear recipe for how to combine a script and a PyPI requirements file, into a zipapp archive that bundles all those dependencies along with the script as __main__.py. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia