[Distutils] PEP470 installation security problems

Nick Coghlan ncoghlan at gmail.com
Wed Oct 8 14:30:54 CEST 2014

On 8 October 2014 22:22, Donald Stufft <donald at stufft.io> wrote:
>> On Oct 8, 2014, at 8:17 AM, holger krekel <holger at merlinux.eu> wrote:
>> Also, i am worried on principle grounds if pip maintainers are putting
>> themselves outside PEP reach, yet pip is distributed along with Python.
> We’re not “putting ourselves outside of PEP reach”. We are an external
> project and we are not bound by the PEP process. Devpi, py.test, Django,
> requests, etc are also not bound by the PEP process.

Note also that even for CPython itself, it is *up to us as core
developers* to decide when something needs to be escalated through the
PEP process. The vast majority of CPython changes are handled directly
through the issue tracker, and there's still the occasional change
that doesn't even make it that far (e.g. if we notice a problem while
working on something else, we have the option of just committing the
fix directly).

PEPs are primarily for changes which have broad ecosystem implications
where the additional overhead is justified. We don't write PEPs for
every change to the CPython command line interface (e.g. there's no
PEP for isolated mode), and the same kind of assessment of external
impact applies to pip and the PyPA in general when decided whether a
change can be handled within the scope of an individual project, or if
it needs to be escalated for broader discussion.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list