[Distutils] PEP470 installation security problems

Paul Moore p.f.moore at gmail.com
Wed Oct 8 15:15:29 CEST 2014


On 8 October 2014 13:55, M.-A. Lemburg <mal at egenix.com> wrote:
> If pip decides to go with a strategy that ignores this, I think we
> have a problem. The core developers put trust into pip when allowing
> it to (effectively) get distributed with Python and making it the
> default Python packaging manager. Please use that trust with the
> appropriate care and respect.

Just to clarify - the pip team (I hope I speak for all of us) fully
understand the implications of being the de facto standard package
manager. And we appreciate the trust placed in us by the fact that pip
is distributed with Python. But at the same time, that trust was given
on the basis that (presumably) we have a track record of doing things
right, in an area that is notoriously full of heated discussions and
conflicting opinions. So what we'd like to do is to continue handling
things in the same way as always, working with the packaging
community.

In particular, that means that we did not align ourselves to the
CPython development model (as it is designed for a very different
community and set of problems). But we do want to adopt their good
practices where possible and appropriate. One of those is the PEP
process - but it's not entirely suitable (see the trail of PEPs from
the distribute/packaging/distutils2 era, for why). So we're trying to
get things right, and in the process we're learning - for example, the
failure of PEP 438 taught us that specifying installer behaviour too
closely in a PEP means we can't fix problems that are completely
messing up our users. But we still believe in the PEP process (anyone
who thinks otherwise hasn't noticed the amount of effort Donald, in
particular, is putting into all the PEPs in progress). It doesn't mean
that it can be treated as a way of forcing us not to do what we think
is right for the pip user base, though.

Paul.


More information about the Distutils-SIG mailing list