[Catalog-sig] Initial requirements

Andrew Kuchling akuchlin@mems-exchange.org
Wed, 08 Nov 2000 16:18:25 -0500 

[This is an edited version of a posting I made to the Distutils-SIG
 some months ago.]

There are a few steps needed to find and install a package:
1) Discovery : which module does what I need?
2) Download  : where can I get a copy?
3) Security  : is this actually from the package author, and not a 
               Trojan horse?
4) Installation : how do I set it up?
   
Distutils focuses on the hardest and most complicated step, #4.

Requirements from #1)

1.1) Users can browse through a list of available packages, browse
through a hierarchy like Parnassus, or do keyword searches.

1.2) Packages are also indexed by author and date, so you can see all
of Moshe's packages, or the 10 most recently changed packages.

1.3) For each author, their name, e-mail and home page URL are stored.

1.4) Information about a package is only extracted from the metadata
included in the package's setup.py file.  This ensures that the info
is up-to-date, saves users the effort of entering data, and encourages
people to use the Distutils.

Requirements from #2)

2.1) Given a package name, software can retrieve one or more download
URLs for the package.

2.2) The catalog should keep copies of the code, not just point to
remote sites, in order to prevent disasters

2.3) It should be possible to mirror the catalog without too much
trouble, using a conventional FTP or HTTP mirroring script.

Requirements from #3)

3.1) Users can check a signature on the downloaded package,
using an external tool such as GnuPG.  

3.2) Checking the signature is optional, and can be skipped if the
external tool isn't available.  (We could implement our own signature
scheme with Python code, but that's a bad idea; security is hard, and
few people will bother to generate keys that are only useful only for
distributing Python modules.  

Related requirement: the Distutils sdist and bdist_* commands should
have a --sign switch to sign the generated .tgz, .rpm, or whatever
file.

Requirements from #4) None

Not covered in these initial requirements: checking for updated
versions, tracking dependencies.  These seem to be difficult problems
that require a database of Python packages installed on a system.

--amk