[Catalog-sig] PyPI and setuptools

Lennart Regebro regebro at gmail.com
Sun Feb 10 20:58:15 CET 2013


On Sun, Feb 10, 2013 at 2:38 PM, Giovanni Bajo <rasky at develer.com> wrote:
> So, both of these baind-aids do *not* solve the "i will intercept the password" problem. I'm not saying that they should not be done. I'm saying that you shouldn't believe they give *any* security to old clients.

I think the way to go is to after a transition-period of forwarding,
drop it and only allow https. This will break old clients. People will
need to upgrade. Distribute currently supports Python 2.4 to 3.3,
meaning that the changes we do will, after some period (which for me
is the shorter the better) mean that we leave Python 2.3 with no
smooth install-path. Instead each package will have to be installed
separately.

You can install with

    easy_install
https://pypi.python.org/packages/source/t/tzlocal/tzlocal-0.3.tar.gz#md5=078209f93b2250bb7a7bca05fa0b6d3d

for example. Dependencies will be downloaded with http, meaning that
they will fail, so you have to install each dependency separately.

I'm OK with that situation for Python 2.3. It has after all not even
had a security bug fix release since 2008, and has from what I
understand been out of security release mode for years.

//Lennart


More information about the Catalog-SIG mailing list