[Distutils] formencode as .egg in Debian ??

[Phillip J. Eby]

At 04:22 PM 11/25/2005 +0100, Janusz A. Urbanowicz wrote:
>On Fri, Nov 25, 2005 at 09:23:04AM -0500, Phillip J. Eby wrote:
> > Now, it's possible for an individual coder to write an application or
> > library that invokes easy_install itself, but anybody can write bad code
> > and that's what you have a QA process for, no?
>
>Yes and no; malicious code of this kind gets eventually weed out _after a
>while_, but this is wrong by design, not to be corrected by QA process.

I'm just pointing out that *I* can't control what some arbitrary author 
chooses to write.  But the libraries that *I* wrote are not going to 
download and install something automatically unless the user ran 
easy_install or a setup.py file.

Also, there is a trivial way to "opt out" of any such automatic downloading 
that some arbitrary author may write; the configuration files for 
easy_install can include allow_hosts=localhost, which will prevent 
easy_install from downloading any URL that's spelled with a host name other 
than localhost.  You can also use wildcard patterns to set hostname masks 
for acceptable download locations.

Of course, an application author can override the options set by the config 
files, or write their own downloading tools.  I'm just pointing out that 
easy_install does allow a user to place restrictions on where packages can 
be obtained from (and thereby whether they can be obtained at all), even 
when the user has explicitly chosen to run easy_install or a setup.py.