[Catalog-sig] Proposal for the bootstrap API
Nick Coghlan
ncoghlan at gmail.com
Fri Feb 15 12:30:02 CET 2013
On Fri, Feb 15, 2013 at 7:28 PM, Tarek Ziadé <tarek at ziade.org> wrote:
> Looks completely legit to me, unfortunately... So until we catch that fish,
> damage can already be done.
When you're already in a (security) hole, the first thing you need to
do is *stop digging*.
We have a handful of projects which need to trusted way to distribute
a Python script in order to bootstrap installation tools on current
versions of Python. That's a real problem, and this proposal is a good
solution for that.
Generalising that to grant the ability to upload arbitrary bootstrap
scripts to every project for no good reason is making a bad situation
worse, for zero payoff. So let's not do that. For projects other than
distribute or pip, the bootstrap process should be:
1. Bootstrap pip
2. pip install project
Or, if the project needs egg support:
1. Bootstrap distribute
2. easy_install project
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Catalog-SIG
mailing list