[Distutils] setuptools: package management and explicit version numbers

Paul Moore p.f.moore at gmail.com
Fri Aug 12 13:02:54 CEST 2005

On 8/11/05, Phillip J. Eby <pje at telecommunity.com> wrote:

> And without those signatures, your hand-installation procedure provides you
> with *zero* additional security unless you're personally inspecting every
> single line of code you install.  Heck, you're running downloaded .exe
> files with unsigned code, for heaven's sake!  And you're worried because
> ez_setup downloads the setuptools egg?  Crikey.  :)

Told you I'm not security-conscious (hey, I'm not conscious most of
the time! :-))

I'm a naive user who knows the Internet's a scary place, but doesn't
really think people are going to bother mocking up a website just to
pick on users of Python's PIL module. So if I go to the website and
*see* that it looks OK, I trust it.

But ez_setup just went off and got something, from somewhere. I never
saw the page with the link on it, so what if the link ez_setup used
was wrong? I never got to see a nice reassuring webpage with Fredrik's
name on it, so how can I be sure I got the right place?

I'm not *actually* that naive, but I do tend to prefer to be very
"manual" when I interact with the internet, just because I trust
myself (probably incorrectly!) more than I trust an automated

OK, I retract the suggestion that no download be the default, but I'd
still like a "manual download" option, which doesn't grab stuff
automatically. After all, ez_setup has the option to go to a local
cache (I can't recall how it works, but I know you mentioned it
before). Why can't I say that I trust the cache (it's been vetted,
virus scanned, whatever) so use that, but *don't* go elsewhere? Then I
download what I think I need, do the install, and get messages
reporting any eggs I missed. I grab those, vet them, and try again.
Repeat as needed....


More information about the Distutils-SIG mailing list