[Distutils] Alternate static metadata PEP submission...

[David Lyon]

> On Fri, Oct 30, 2009 at 6:24 PM, Chris Withers <chris at simplistix.co.uk>
> wrote:
>> I think "python setup.py install" is so idiomatic that it seems silly to
>> break it for the sake of two lines of python.

Ok. Well, I've been experimenting with "python -m setup install" and
I'm sure that I can get it to do the right thing.

"python -m setup install", thanks to George, is my new answer to life,
universe and packaging.

> This may well have been a reasonable choice at the time it was made
> over a decade ago (and yes, I was there, discussing distutils with
> Greg Ward during the birthing, so you can probably even lay some of
> the blame at my feet).  

Don't be so harsh on yourself. setup.py has served a lot of people
extremely well. It's only a minor change to go to "python -m setup 
install". It's pretty much a way of preserving the setup.py but
executing it in a more 'secure' manner.

> I worry more about having to review someone else's ad-hoc setup.py, 
> usually under deadline pressure, especially given how many variations 
> there are.

Doing the conversions is going to be the interesting part.

I'm already tossing around ways I can run a legacy 'python setup.py
install' and then compare it with a 'python -m setup install'

In most cases, you'd hope that they'd be the same.

Fortunately, there's not a shortage of packages on pypi that can
be used as test data.

Moving setup.py from the package into stdlib, isn't such a big
change. I'm sure many security type people would be comfortable
with this approach.

David