[Distutils] does pypi or red-dove have a better firehose API than "download all the packages"?

[Donald Stufft]

On May 24, 2013, at 9:54 AM, holger krekel <holger at merlinux.eu> wrote:

> On Fri, May 24, 2013 at 07:20 -0400, Donald Stufft wrote:
>> On May 24, 2013, at 7:17 AM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:
>> 
>>>> From: holger krekel <holger at merlinux.eu>
>>> 
>>> 
>>>> 
>>>> Nice.  How do you actually get at the dependencies?  Don't you
>>>> need to execute setup.py for that?
>>>> 
>>> 
>>> Yes, that's how it's done. However, the idea is to do it once per uploaded release and remember the results, so an installer tool like pip doesn't have to download and run setup.py every time :-)
>> 
>> So what you're saying is I can root your machine with a setup.py? ;)
> 
> That's the immediate risk, indeed :)  However, i guess one could use a VM
> with a chroot and a dedicated user and timeout the setup after 20 seconds
> or so to regain some safety.   It's a bit horrible but OTOH i'd really
> like to have this information (especially the deps) without requiring 
> everybody to switch to a new packaging format first.
> 
> holger

Most packages also have an egg-info inside of them you can parse.

Of course the issue is that you're only going to get the requirements of the system that ran setup.py, either the authors or the servers. Which doesn't accurately represent all of the dependencies all of the time.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130524/189412f6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130524/189412f6/attachment-0001.pgp>