[Distutils] `setup.py register` can't create PyPI account.

Tarek Ziadé ziade.tarek at gmail.com
Tue Jul 13 09:53:54 CEST 2010


On Tue, Jul 13, 2010 at 2:32 AM, Tres Seaver <tseaver at palladion.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tarek Ziadé wrote:
>> 2010/7/13 "Martin v. Löwis" <martin at v.loewis.de>:
>> ...
>>>> Again, maybe it's flawed, and maybe we should remove it. But you cannot
>>>> break this feature in Python 2.5, 26 etc.. because you find it flawed today.
>>> And it's not the reason that I broke it. Instead, the reason is that the
>>> PSF required me to make the change. I didn't even remember that this
>>> would break distutils. Now that I think about it, I think it's distutils
>>> that needs to get fixed going forward. For backwards compatibility, I'm
>>> willing to accept solutions as long as they don't allow users to bypass
>>> that checkbox.
>>
>> I understand why you did that change, and I understand the reasons.
>> We also agree that Distutils needs to be fixed, and this is being
>> worked out in Distutils2.
>>
>> But I strongly disagree that its better to break existing Python
>> versions to comply with the PSF legal policy. I think this is a
>> mistake, and I think it's acceptable to bypass that policy in
>> distutils. That policy didn't exist back then, so it makes perfectly
>> sense not to have it in Distutils.
>
> The breakage you are talking about here is only for an *extremely rare*
> case:  a user rund 'setup.py register' without having first created an
> account through the web UI.  I think Martin is right, and that the fact
> that it used to work was an undocumented misfeature (even a security hole).

It's not extremely rare. You do it just once that is. I've documented
that feature in several
books, as the first step when you do your first package registration.

Tarek
-- 
Tarek Ziadé | http://ziade.org


More information about the Distutils-SIG mailing list