[Distutils] GUI for Python package Management
sienkiew at stsci.edu
Thu Jan 29 23:29:28 CET 2009
>> I very much dislike things that automatically download and install
>> software. An automatic installer may find a different version of a
>> supporting package every time I install software on another machine.
> if the application asks for the different version then yes it should
> download the version that was asked for and installed for that
> application. It will only find a different version each time if the
> application asks for it.
Here is an example of the scenario I am trying to avoid:
Suppose the package foobar asks for "xyzzy > 2.3".
On machine Fred, I install foobar on Tuesday. I do not even know that
foobar needs xyzzy, so unless I watch the install closely, Fred may have
xyzzy 2.4 installed.
On machine Barney, I install foobar on Wednesday. I do not know there
was a new release of xyzzy overnight, but Barney now has xyzzy 2.5
Six months from now, my user says "YOUR program is broken - it doesn't
do the same thing on Fred and Barney".
I figure out that it is the version of xyzzy, then decide that the
correct answers come when I use 2.4. It was automatically installed, so
I don't have a copy of it in my archive of source code. I try to
download it, but I can only find 2.5, 2.6, and 2.7 online.
What do I do?
On machine Fred, I install foobar on Tuesday, but I use --no-automatic.
It says "You must have xyzzy > 2.3".
I download xyzzy 2.4 to my collection of source code, install it on
Fred, then install foobar. Everything works.
On Wednesday, I install, on Barney, xyzzy 2.4 from my collection of
source code and my own package foobar.
Six months from now, my user sees that my program does the same thing on
Fred and Barney.
>> I keep careful track of what is installed on all my machines. If the
>> tool automatically installs any version other than the one I
>> specified, then the tool is working _against_ me. I don't need that.
> No it is working like the application writer specified it.
I agree, except for the part where you said "No". :)
I think the correct description is "Yes! It is working like the
application writer specified it, but it is making proper configuration
>> Ideally, there would be a flag that says "if you can't find
>> something, give me an error -- do not attempt to download/install
>> anything". But it would be helpful if it can tell me "Package xyzzy
>> is missing, but you can get it from here:..."
> This I agree, it should have a way to ignore some requests or even all
> requests of the application that is launched, maybe even have a
> configuration file somewhere (or a registry key, or a plist file
> depending on the os) that override the default, which I think should
> be give the running application the version that it specifies
> (standard packaging version rules apply, if it asks for package >=1.0
> then any version newer than 1.0 is sufficient)
Good point -- we need two options here:
1. do not download/install anything, just raise an error
2. use the version module XXX that I have, even though the package says
it is not suitable
> But this is just a proposition that I think will never be able to work
> with python without security or only signed and pre approved packages
> on pypi.
Is it really different from what setuptools already does?
Do we know how CPAN handles security?
More information about the Distutils-SIG