[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site
Jacob Kaplan-Moss
jacob at jacobian.org
Tue Mar 12 21:30:22 CET 2013
On Tue, Mar 12, 2013 at 3:16 PM, PJ Eby <pje at telecommunity.com> wrote:
> I'm confused by this statement. "never access an external host" is
> not consistent with "have the option to specify what hosts you trust",
> while still keeping PyPI as a universal index of Python software.
Sorry to be confusing! I'm trying to make a distinction between the
out-of-the-box defaults and optional... options.
Here's what I mean: imagine I'm new to Python and getting started. I
grab my machine, install Python (via apt-get, homebrew, from source,
whatever), and grab whatever the programmer next to me at work tells
me is latest and greatest in the packaging world. No configuration, no
editing of a config file, no reading of documentation, just `apt-get
install python python-pip` or the equivalent.
Now I type `pip install Django`. Again, with no configuration, no
tweaking, no editing of anything, and no real understanding of what's
going on.
The point I'm trying to make is that I consider it absolutely critical
that this by-the-defaults approach gets me the *best* security the
Python ecosystem has to offer. So this means no external packages, it
also means signing and verifying once that infrastructure is in place
[1].
On the other hand, the "have the option" means that `pip install
<url>` needs to continue to work, too.
Is that clear? Again I'm sorry if I'm being confusing; I think I'm
having "translate from brain to keyboard" fail.
> I'm just saying, we don't need to change PyPI to do anything but drop
> the rel="" links, and change the tools to default allow-hosts to equal
> index-url. (pip has the same parameters, not sure what config files
> it uses, though. I don't think it inherits [easy_install] settings,
> though.)
As I've said, the implementation details aren't of a concern to me;
the result is.
Jacob
[1] This is also an important step a bit further down the line is
eliminating or drastically reducing the use of an executable setup.py.
But that's another show.
More information about the Catalog-SIG
mailing list