[Distutils] Alternate static metadata PEP submission...
david.lyon at preisshare.net
Tue Nov 3 07:20:12 CET 2009
> On Fri, Oct 30, 2009 at 6:24 PM, Chris Withers <chris at simplistix.co.uk>
>> I think "python setup.py install" is so idiomatic that it seems silly to
>> break it for the sake of two lines of python.
Ok. Well, I've been experimenting with "python -m setup install" and
I'm sure that I can get it to do the right thing.
"python -m setup install", thanks to George, is my new answer to life,
universe and packaging.
> This may well have been a reasonable choice at the time it was made
> over a decade ago (and yes, I was there, discussing distutils with
> Greg Ward during the birthing, so you can probably even lay some of
> the blame at my feet).
Don't be so harsh on yourself. setup.py has served a lot of people
extremely well. It's only a minor change to go to "python -m setup
install". It's pretty much a way of preserving the setup.py but
executing it in a more 'secure' manner.
> I worry more about having to review someone else's ad-hoc setup.py,
> usually under deadline pressure, especially given how many variations
> there are.
Doing the conversions is going to be the interesting part.
I'm already tossing around ways I can run a legacy 'python setup.py
install' and then compare it with a 'python -m setup install'
In most cases, you'd hope that they'd be the same.
Fortunately, there's not a shortage of packages on pypi that can
be used as test data.
Moving setup.py from the package into stdlib, isn't such a big
change. I'm sure many security type people would be comfortable
with this approach.
More information about the Distutils-SIG