[Distutils] PEP470 installation security problems

Donald Stufft donald at stufft.io
Wed Oct 8 14:22:18 CEST 2014

> On Oct 8, 2014, at 8:17 AM, holger krekel <holger at merlinux.eu> wrote:
> Also, i am worried on principle grounds if pip maintainers are putting
> themselves outside PEP reach, yet pip is distributed along with Python.

We’re not “putting ourselves outside of PEP reach”. We are an external
project and we are not bound by the PEP process. Devpi, py.test, Django,
requests, etc are also not bound by the PEP process.

I was worried this might be used to try and force pip to adhere to PEPs
which is why PEP 453 explicitly mentions this fact.


“The maintainers of the bootstrapped software and the CPython core team will
work together in order to address the needs of both. The bootstrapped software
will still remain external to CPython and this PEP does not include CPython
subsuming the development responsibilities or design decisions of the
bootstrapped software. This PEP aims to decrease the burden on end users
wanting to use third-party packages and the decisions inside it are pragmatic
ones that represent the trust that the Python community has already placed in
the Python Packaging Authority as the authors and maintainers of pip,
setuptools, PyPI, virtualenv and other related projects.”

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Distutils-SIG mailing list