[Catalog-sig] PyPI and setuptools
Stephen Thorne
stephen at thorne.id.au
Sun Feb 10 00:37:15 CET 2013
On Sat, Feb 9, 2013 at 11:28 PM, Jesse Noller <jnoller at gmail.com> wrote:
> On Feb 9, 2013, at 6:13 PM, Stephen Thorne <stephen at thorne.id.au> wrote:
>
> > Hello,
> >
> > One of my concerns with the recent pip dramas that have seen some
> excellent and timely action from catalog-sig and others, is that
> 'setuptools' is still widely distributed and used instead of distribute/pip.
>
> Well, lets back up: these aren't pip specific problems: just about every
> client side tool for installing from pypi suffers from lax security.
> >
> > Setuptools either needs to be sunset, notices put on pypi, warnings
> given to its users, out of linux distros, or it has to upgraded to be
> feature compatible with the security updates.
> >
> > That's a strong statement I've made, but I feel strongly that something
> has to be done. I would like to solicit opinions here before an action plan
> is composed.
>
> This is a bit of a question mark to me: the reality is that
> easy_install/setup tools usage is probably still dramatically higher than
> that of more modern tooling. That, and AFAIK, there are still features of
> them that the alternatives do not support (binary eggs, which are a must
> for windows).
Yikes. This is something I didn't fully understand until now. Our windows
users prefer to use setuptools and eggs? That make sense I guess.
With that in mind, it sounds like we're going to have to push patches into
setuptools and make a security patch release...
Stephen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130209/2d459ef2/attachment-0001.html>
More information about the Catalog-SIG
mailing list