[Distutils] setuptools: package management and explicit version numbers
Phillip J. Eby
pje at telecommunity.com
Fri Aug 12 01:57:49 CEST 2005
At 06:09 PM 8/11/2005 -0500, Ian Bicking wrote:
>I think from a make-people-feel-comfortable perspective, it might be
>better if ez_setup informed the user of what it's doing (installing a
>build dependency) and get a confirmation. For instance, it can be
>disconcerting to do something that shouldn't require any privilege (e.g.,
>setup.py --help-commands) and end up triggering something that does
>require privilege (global installation of a package). Just an "I'm going
>to do this; OK?" question would be reassuring.
But then, how do you do that in such a way that an automated installation
process (other than EasyInstall) won't hang?
I suppose I could have the download function display a message followed by
a countdown timer that would allow you to abort by hitting ^C. That way,
an unattended process or lazy user (or slow reader :) could just proceed
without needing to do anything.
The only problem I see with that is that drawing the user's attention to
something that 99% of the time is going to be okay seems like a bad
idea. It's like "WARNING: I'm about to do something exactly like what
you'd do yourself by hand!"
I'll have to find a suitable way to spin the message, something like:
"""Hello! ez_setup has detected that you don't have a recent-enough
version of setuptools on your computer to be able to run this script. I'll
be happy to download and install it for you (along with any other packages
this script might need), but some firewalls may not allow programs like me
to download software from the Internet. So I'll pause for a few seconds
before starting the first download, to give you a chance to read this
message, so you'll know you need to grant me access if something pops up
asking if I should be allowed to connect to python.org. Thanks!
Beginning download in 20... 19... 18...
Hopefully, something like that could be made friendly enough so that most
people just ignore it.
> One scary one is if someone uses a Wiki page as a package index, and
> other people reference that without understanding the (considerable)
> danger. I *almost* did that myself, then I thought again and realized
> what a bad idea it would be.
That's why the best thing is to publish to PyPI if you can; source checkout
links can always go in URLs embedded in 'long_description', and
easy_install will still find them.
>But other layers of consistency are possible. For instance, for a package
>to be "trusted" by PyPI (on some level), maybe an email confirmation of
>substantive package updates would be required (like new releases, new
>versions of files, etc). This is just another consistency check -- make
>sure that the person on the other end of the registered email address
>approves what the person with the login account is doing (of course
>usually those are the same person).
At the very least, sending them emails about stuff that's happening would
ensure they find out their account has been hacked. Assuming the address
is still valid, of course, which isn't always the case. :(
More information about the Distutils-SIG