[Distutils] does pypi or red-dove have a better firehose API than "download all the packages"?

Fri May 24 16:01:16 CEST 2013

On Fri, May 24, 2013 at 09:55 -0400, Donald Stufft wrote:
> On May 24, 2013, at 9:54 AM, holger krekel <holger at merlinux.eu> wrote:
> 
> > On Fri, May 24, 2013 at 07:20 -0400, Donald Stufft wrote:
> >> On May 24, 2013, at 7:17 AM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:
> >> 
> >>>> From: holger krekel <holger at merlinux.eu>
> >>> 
> >>> 
> >>>> 
> >>>> Nice.  How do you actually get at the dependencies?  Don't you
> >>>> need to execute setup.py for that?
> >>>> 
> >>> 
> >>> Yes, that's how it's done. However, the idea is to do it once per uploaded release and remember the results, so an installer tool like pip doesn't have to download and run setup.py every time :-)
> >> 
> >> So what you're saying is I can root your machine with a setup.py? ;)
> > 
> > That's the immediate risk, indeed :)  However, i guess one could use a VM
> > with a chroot and a dedicated user and timeout the setup after 20 seconds
> > or so to regain some safety.   It's a bit horrible but OTOH i'd really
> > like to have this information (especially the deps) without requiring 
> > everybody to switch to a new packaging format first.
> > 
> > holger
> 
> Most packages also have an egg-info inside of them you can parse.
> 
> Of course the issue is that you're only going to get the requirements of the system that ran setup.py, either the authors or the servers. Which doesn't accurately represent all of the dependencies all of the time.

True but maybe it would go a long way for most packages.  I need dep
information mostly for finding out in which dep configuration a
package's tests ran successfully.  I guess just installing it into a
fresh env and "pip freeze" it with some platform info might more
directly suit my needs.

best,
holger

> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> 