[Distutils] a plea for backward-compatibility / smooth transitions

Donald Stufft donald at stufft.io
Wed Jul 31 08:23:46 CEST 2013 

On Jul 31, 2013, at 1:38 AM, holger krekel <holger at merlinux.eu> wrote:

> Hi Donald,
> 
> On Tue, Jul 30, 2013 at 14:04 -0400, Donald Stufft wrote:
>> On Jul 30, 2013, at 1:13 PM, PJ Eby <pje at telecommunity.com> wrote:
>> 
>>> On Tue, Jul 30, 2013 at 4:14 AM, Donald Stufft <donald at stufft.io> wrote:
>>>> Heh, I'm pretty good at getting yelled at :)
>>> 
>>> Nick is also pretty good at making people feel like he both knows and
>>> *cares* about their breakage, and isn't just dismissing their concerns
>>> as trivial or unimportant.  Breakage isn't trivial or unimportant to
>>> the person who's yelling, so this is an important
>>> community-maintenance skill.  It builds trust, and reduces the total
>>> amount of yelling.
>> 
>> *shrug*, If I didn't care I would have made this change as soon as
>> Nick said it was ok. Instead I declared I was going to and waited to
>> make sure nobody else had any concerns. And once Holger said he did I
>> said ok I won't do it. Maybe my mannerisms give the impression I don't
>> but that's actually pretty far from the truth. For this particular
>> change I originally created the pip commit that allowed it, and then
>> again I created the setuptools commit, backporting hashlib into
>> setuptools to support Python 2.4. I put a decent amount of effort into
>> trying to make sure that nothing broke but in the end there were still
>> concerns :)
> 
> For the record, i am all for putting generic hash support into the
> installers and maybe prepare for an eventual change to make PyPI serve
> sha256 hashes.  However, to me it's not clear if such a move may become
> obsolete through the potential advent of TUF.

pip has had generic hash support since 1.2, setuptools since 0.9, and since
I believe zc.buildout just lets setuptools do the downloads so it'd be when
using 0.9 for it.

The idea was this was an easy win security hardening. Something like TUF
would more or less obsolete it but TUF isn't on the immediate radar.

> 
> My original objection reason was tied to generally pushing for more focus 
> on backward-compatibility.  I am grateful that several people including you,
> Nick and Jannis acknowledged the point.
> 
> best,
> holger
> 
>> -----------------
>> Donald Stufft
>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>> 
> 
> 
> 
>> _______________________________________________
>> Distutils-SIG maillist  -  Distutils-SIG at python.org
>> http://mail.python.org/mailman/listinfo/distutils-sig
> 


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130731/59db91b9/attachment.pgp>

More information about the Distutils-SIG mailing list