[Catalog-sig] Use user-specific site-packages by default?

Donald Stufft donald.stufft at gmail.com
Tue Feb 5 14:18:44 CET 2013


On Tuesday, February 5, 2013 at 8:13 AM, Lennart Regebro wrote:
> On Tue, Feb 5, 2013 at 2:02 PM, Holger Krekel <holger.krekel at gmail.com (mailto:holger.krekel at gmail.com)> wrote:
> > Dropping the crawling over external pages needs _much_ more than just a few
> > months deprecation warnings, rather years. There are many packages out
> > there, and it would break people's installations.
> > 
> 
> 
> No it won't. Nothing gets uninstalled. What stops working is
> installing those packages with pip/easy_install. And that will start
> again as soon as the maintainer uploads the last version to PyPI,
> which she/he is likely to do quite quickly after people start
> complaining.
> 
> 

A longer depreciation wouldn't be a bad thing merely because a lot
of people depend on this feature without even realizing it. Crate has
an index you can use that removes all external urls to test your own
projects on. --index-url=https://restricted.crate.io/ (through pip).

Or rather a short depreciation in the tools where they'll crawl external
links by default, and a long depreciation where they'll do it with an
--enable-unsafe-externals or something.
> 
> > I certainly agree, though, that the current client-side crawling is a
> > nuisance and makes for unreliability of installation procedures. I think we
> > should move the crawling to the server side and cache packages.
> > 
> 
> 
> That will mean that a man in the middle-attack might poison PyPI's
> cache. I don't think that's a feasible path forward.
> 
> Packages does not need to be "cached", as they are not supposed to
> change. If you change the package you should really release a new
> version. (Unless you made a mistake and discovered it before anyone
> actually downloaded it). So what you are proposing is really that PyPI
> downloads the package from an untrusted source, if the maintainer
> doesn't upload it. I prefer that we demand that the maintainer upload
> it.
> 
> 

I agree with this. External packages are inherently less able to be validated
than something uploaded to PyPI. We should not disguise them or make
them appear to be something they aren't.
> 
> //Lennart 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/485b797c/attachment.html>


More information about the Catalog-SIG mailing list