[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site
jacob at jacobian.org
Tue Mar 12 21:30:22 CET 2013
On Tue, Mar 12, 2013 at 3:16 PM, PJ Eby <pje at telecommunity.com> wrote:
> I'm confused by this statement. "never access an external host" is
> not consistent with "have the option to specify what hosts you trust",
> while still keeping PyPI as a universal index of Python software.
Sorry to be confusing! I'm trying to make a distinction between the
out-of-the-box defaults and optional... options.
Here's what I mean: imagine I'm new to Python and getting started. I
grab my machine, install Python (via apt-get, homebrew, from source,
whatever), and grab whatever the programmer next to me at work tells
me is latest and greatest in the packaging world. No configuration, no
editing of a config file, no reading of documentation, just `apt-get
install python python-pip` or the equivalent.
Now I type `pip install Django`. Again, with no configuration, no
tweaking, no editing of anything, and no real understanding of what's
The point I'm trying to make is that I consider it absolutely critical
that this by-the-defaults approach gets me the *best* security the
Python ecosystem has to offer. So this means no external packages, it
also means signing and verifying once that infrastructure is in place
On the other hand, the "have the option" means that `pip install
<url>` needs to continue to work, too.
Is that clear? Again I'm sorry if I'm being confusing; I think I'm
having "translate from brain to keyboard" fail.
> I'm just saying, we don't need to change PyPI to do anything but drop
> the rel="" links, and change the tools to default allow-hosts to equal
> index-url. (pip has the same parameters, not sure what config files
> it uses, though. I don't think it inherits [easy_install] settings,
As I've said, the implementation details aren't of a concern to me;
the result is.
 This is also an important step a bit further down the line is
eliminating or drastically reducing the use of an executable setup.py.
But that's another show.
More information about the Catalog-SIG