[Distutils] formencode as .egg in Debian ??
Phillip J. Eby
pje at telecommunity.com
Fri Nov 25 16:37:51 CET 2005
At 04:22 PM 11/25/2005 +0100, Janusz A. Urbanowicz wrote:
>On Fri, Nov 25, 2005 at 09:23:04AM -0500, Phillip J. Eby wrote:
> > Now, it's possible for an individual coder to write an application or
> > library that invokes easy_install itself, but anybody can write bad code
> > and that's what you have a QA process for, no?
>Yes and no; malicious code of this kind gets eventually weed out _after a
>while_, but this is wrong by design, not to be corrected by QA process.
I'm just pointing out that *I* can't control what some arbitrary author
chooses to write. But the libraries that *I* wrote are not going to
download and install something automatically unless the user ran
easy_install or a setup.py file.
Also, there is a trivial way to "opt out" of any such automatic downloading
that some arbitrary author may write; the configuration files for
easy_install can include allow_hosts=localhost, which will prevent
easy_install from downloading any URL that's spelled with a host name other
than localhost. You can also use wildcard patterns to set hostname masks
for acceptable download locations.
Of course, an application author can override the options set by the config
files, or write their own downloading tools. I'm just pointing out that
easy_install does allow a user to place restrictions on where packages can
be obtained from (and thereby whether they can be obtained at all), even
when the user has explicitly chosen to run easy_install or a setup.py.
More information about the Distutils-SIG