[Catalog-sig] PyPI and setuptools

[Nick Coghlan]

On Sun, Feb 10, 2013 at 9:37 AM, Stephen Thorne <stephen at thorne.id.au> wrote:
> On Sat, Feb 9, 2013 at 11:28 PM, Jesse Noller <jnoller at gmail.com> wrote:
>> On Feb 9, 2013, at 6:13 PM, Stephen Thorne <stephen at thorne.id.au> wrote:
>> > Setuptools either needs to be sunset, notices put on pypi, warnings
>> > given to its users, out of linux distros, or it has to upgraded to be
>> > feature compatible with the security updates.
>> >
>> > That's a strong statement I've made, but I feel strongly that something
>> > has to be done. I would like to solicit opinions here before an action plan
>> > is composed.
>>
>> This is a bit of a question mark to me: the reality is that
>> easy_install/setup tools usage is probably still dramatically higher than
>> that of more modern tooling.

One thing to keep in mind is that at least Fedora, and I believe other
distros, actually ship distribute rather than vanilla setuptools.
Migrating from insecure infrastructure is going to be a slow process,
the immediate task is to make such a migration possible by:
1. Getting the server side in order
2. Offering at least one tool that better handles the security side of things

> That, and AFAIK, there are still features of
>> them that the alternatives do not support (binary eggs, which are a must for
>> windows).
>
> Yikes. This is something I didn't fully understand until now. Our windows
> users prefer to use setuptools and eggs? That make sense I guess.

Many of the changes in PEP 426, and Daniel Holth's wheel PEPs arise
directly from asking the question "Why are some people still using
setuptools rather than the alternatives?".

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia