[Distutils] setuptools: package management and explicit version numbers

Phillip J. Eby pje at telecommunity.com
Fri Aug 12 01:57:49 CEST 2005

At 06:09 PM 8/11/2005 -0500, Ian Bicking wrote:
>I think from a make-people-feel-comfortable perspective, it might be 
>better if ez_setup informed the user of what it's doing (installing a 
>build dependency) and get a confirmation.  For instance, it can be 
>disconcerting to do something that shouldn't require any privilege (e.g., 
>setup.py --help-commands) and end up triggering something that does 
>require privilege (global installation of a package).  Just an "I'm going 
>to do this; OK?" question would be reassuring.

But then, how do you do that in such a way that an automated installation 
process (other than EasyInstall) won't hang?

I suppose I could have the download function display a message followed by 
a countdown timer that would allow you to abort by hitting ^C.  That way, 
an unattended process or lazy user (or slow reader :) could just proceed 
without needing to do anything.

The only problem I see with that is that drawing the user's attention to 
something that 99% of the time is going to be okay seems like a bad 
idea.  It's like "WARNING: I'm about to do something exactly like what 
you'd do yourself by hand!"

I'll have to find a suitable way to spin the message, something like:

"""Hello!  ez_setup has detected that you don't have a recent-enough 
version of setuptools on your computer to be able to run this script.  I'll 
be happy to download and install it for you (along with any other packages 
this script might need), but some firewalls may not allow programs like me 
to download software from the Internet.  So I'll pause for a few seconds 
before starting the first download, to give you a chance to read this 
message, so you'll know you need to grant me access if something pops up 
asking if I should be allowed to connect to python.org.  Thanks!

Beginning download in 20...  19...  18...

Hopefully, something like that could be made friendly enough so that most 
people just ignore it.

>  One scary one is if someone uses a Wiki page as a package index, and 
> other people reference that without understanding the (considerable) 
> danger.  I *almost* did that myself, then I thought again and realized 
> what a bad idea it would be.

That's why the best thing is to publish to PyPI if you can; source checkout 
links can always go in URLs embedded in 'long_description', and 
easy_install will still find them.

>But other layers of consistency are possible.  For instance, for a package 
>to be "trusted" by PyPI (on some level), maybe an email confirmation of 
>substantive package updates would be required (like new releases, new 
>versions of files, etc).  This is just another consistency check -- make 
>sure that the person on the other end of the registered email address 
>approves what the person with the login account is doing (of course 
>usually those are the same person).

At the very least, sending them emails about stuff that's happening would 
ensure they find out their account has been hacked.  Assuming the address 
is still valid, of course, which isn't always the case.  :(

More information about the Distutils-SIG mailing list