[Distutils] Self-contained boostrap scripts [was: Re: A new, experimental packaging tool: distil]

Daniel Holth dholth at gmail.com
Thu Mar 28 15:50:11 CET 2013


Not really trying to tell Vinay to rewrite his script, but IMHO if you
expect it unzip is a lot easier than
file.write(module.random_attribute.decode('base64')). The runnable zip
feature is awesome, not well enough known, and totally worth promoting
over the shar pattern; with some minimal tooling you'd be good to go.

On Thu, Mar 28, 2013 at 10:44 AM, Philippe Ombredanne
<pombredanne at nexb.com> wrote:
> On Thu, Mar 28, 2013 at 2:33 PM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:
>>> From: Philippe Ombredanne <pombredanne at nexb.com>
>>> On the other hand, I find it somewhat discomforting as an emerging
>>> best way to package and distribute self-contained bootstrap scripts.
>
>>> Virtualenv does it, distil is doing it now, pip tried some of it here
>>> https://github.com/pypa/pip/blob/develop/contrib/get-pip.py
>>> In contrast, buildout, distribute and setuptools bootstrap scripts do
>>> not embed their dependencies and either try to get them satisfied
>>> locally or attempt to download the requirements.
>>
>> And all this time, they would have been vulnerable to a MITM attack
>> on PyPI because PyPI didn't support verifiable SSL connections
>> until recently. It's good to be cautious, but Bruce Schneier has
>> plenty of stories about caution directed in the wrong directions.
>
> I am not so worried about security... I brought the point here because
> this is the packaging and distribution list, and I see this as an
> emerging pattern for the packaging and distribution of bootstrap
> scripts and this is something that has not been discussed much before.
>
> Conceptually I find these no different from setup.py scripts, and
> these have been mostly normalized (or at the minimum have a
> conventional name and a conventional if not specified interface.)
>
> Yet today, for the all important core package and environment
> management tools, we have bootstrap scripts each with different
> interfaces and different approaches to self containment or no
> containment.
>
> I feel this is worth discussing as bootstrapping is where everything begins :)
>
> --
> Philippe Ombredanne
>
> +1 650 799 0949 | pombredanne at nexB.com
> DejaCode Enterprise at http://www.dejacode.com
> nexB Inc. at http://www.nexb.com
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig


More information about the Distutils-SIG mailing list