[Distutils] setuptools: package management and explicit version numbers

Ian Bicking ianb at colorstudy.com
Fri Aug 12 06:32:56 CEST 2005 

Phillip J. Eby wrote:
> At 06:09 PM 8/11/2005 -0500, Ian Bicking wrote:
> 
>> I think from a make-people-feel-comfortable perspective, it might be 
>> better if ez_setup informed the user of what it's doing (installing a 
>> build dependency) and get a confirmation.  For instance, it can be 
>> disconcerting to do something that shouldn't require any privilege 
>> (e.g., setup.py --help-commands) and end up triggering something that 
>> does require privilege (global installation of a package).  Just an 
>> "I'm going to do this; OK?" question would be reassuring.
> 
> 
> But then, how do you do that in such a way that an automated 
> installation process (other than EasyInstall) won't hang?
> 
> I suppose I could have the download function display a message followed 
> by a countdown timer that would allow you to abort by hitting ^C.  That 
> way, an unattended process or lazy user (or slow reader :) could just 
> proceed without needing to do anything.
 >
> The only problem I see with that is that drawing the user's attention to 
> something that 99% of the time is going to be okay seems like a bad 
> idea.  It's like "WARNING: I'm about to do something exactly like what 
> you'd do yourself by hand!"

Hopefully setuptools won't get installed 99% of the time, just once or 
twice per machine.  Because setuptools installation can happen even when 
nothing installation-related is being requested, it's a bit out of the 
norm.  Hence the confirmation, or at least prominent notification.

I also, like most unix users, don't usually start by running a command 
as root, so ez_setup will fail in that situation.  At least by putting 
up the interactive message it's not going to be as surprising when that 
happens.

>> But other layers of consistency are possible.  For instance, for a 
>> package to be "trusted" by PyPI (on some level), maybe an email 
>> confirmation of substantive package updates would be required (like 
>> new releases, new versions of files, etc).  This is just another 
>> consistency check -- make sure that the person on the other end of the 
>> registered email address approves what the person with the login 
>> account is doing (of course usually those are the same person).
> 
> 
> At the very least, sending them emails about stuff that's happening 
> would ensure they find out their account has been hacked.  Assuming the 
> address is still valid, of course, which isn't always the case.  :(

Until you start getting phishing emails trying to pretend that your 
account is hacked.  Ah, life on the internet... ):


-- 
Ian Bicking  /  ianb at colorstudy.com  / http://blog.ianbicking.org

More information about the Distutils-SIG mailing list