[Catalog-sig] Use user-specific site-packages by default?
Donald Stufft
donald.stufft at gmail.com
Tue Feb 5 14:42:51 CET 2013
On Tuesday, February 5, 2013 at 8:34 AM, Lennart Regebro wrote:
> On Tue, Feb 5, 2013 at 2:18 PM, Donald Stufft <donald.stufft at gmail.com (mailto:donald.stufft at gmail.com)> wrote:
> > A longer depreciation wouldn't be a bad thing merely because a lot
> > of people depend on this feature without even realizing it. Crate has
> > an index you can use that removes all external urls to test your own
> > projects on. --index-url=https://restricted.crate.io/ (through pip).
> >
> > Or rather a short depreciation in the tools where they'll crawl external
> > links by default, and a long depreciation where they'll do it with an
> > --enable-unsafe-externals or something.
> >
> > I certainly agree, though, that the current client-side crawling is a
> > nuisance and makes for unreliability of installation procedures. I think we
> > should move the crawling to the server side and cache packages.
> >
>
>
> Whatever we do to fix the PyPI security it *will* break all the
> packages that now exist on third-party servers. As long as unsigned
> packages from third-party servers are allowed, we have a big honking
> security hole. I'm now almost sorry I suggested a deprecation period,
> as this gives the wrong impression.
>
> So forget about it. I'm now suggesting a different deprecation: For a
> couple of versions of Distribute and pip, we continue to crawl, but do
> not install the packages. Instead we exist with "Package found at
> <url>, but packages from third-party servers are not installed by
> easy_install because they pose a security issue."
>
> //Lennart
If you break peoples ability to install packages right away they'll refuse
to upgrade. This type of change will be met with out right resistence from
some people regardless of how it's done, adding in resistence from people
who don't care and jsut want to install their packages is not going to make
it any more of a smoother transition.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/b54a21a3/attachment-0001.html>
More information about the Catalog-SIG
mailing list