[Distutils] PEP470 installation security problems
chris.jerdonek at gmail.com
Wed Oct 8 17:08:15 CEST 2014
I have a suggestion. Holger obviously feels he has something very
important to say, and a lot of e-mails have already been sent back and
forth. Is there some way that Donald, Nick, and Holger could perhaps have
a conference call or hangout of some sort just for the purpose of
understanding and/or confirming exactly what his concern is (and, if
possible, coming to agreement on a resolution)? And then the result of
that conversation can be summarized for the list? I think that might be
more constructive at this point and courteous to Holger. I know that for
me, sometimes "a quick phone call" can do wonders.
On Wed, Oct 8, 2014 at 6:13 AM, Donald Stufft <donald at stufft.io> wrote:
> > On Oct 8, 2014, at 8:59 AM, holger krekel <holger at merlinux.eu> wrote:
> > On Wed, Oct 08, 2014 at 08:47 -0400, Donald Stufft wrote:
> >>> On Oct 8, 2014, at 8:43 AM, holger krekel <holger at merlinux.eu> wrote:
> >>> On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
> >>>> On 8 October 2014 21:40, holger krekel <holger at merlinux.eu> wrote:
> >>>>> No, i am not concerned about the extra index supplying whatever
> >>>>> After all, the users specifies the option and should trust that
> >>>>> I am concerned about the fact that public PyPI links are merged in
> >>>>> for my private packages residing on the extra index.
> >>>> That's what a default repository *does*. It's always on, unless you
> >>>> explicitly turn it off. Hence the name *extra index*. The index URL
> >>>> option is the one to use if you want to *replace* the index.
> >>> Nick, i don't know why you are saying this. Do you think i don't know
> >>> My point is that PyPI makes for a very different default repository
> than the
> >>> Debian or Redhat one. Or do you disagree there?
> >> If you understand that, then your statements in here don’t make any
> sense to me.
> >> What is it you’re trying to achieve exactly? Do you think the PEP
> should be
> >> rejected? Do you think it needs amended? You’re saying things that I
> can’t reconcile
> >> how they relate to the PEP (and I’m apparently not the only one) nor
> can I convert
> >> them into actionable feedback.
> > Sorry that it's so unclear to you, Nick and Paul. I tried my best.
> > And i tried to make suggestions what to change, what to avoid, what
> > kind of options pip would need to become safer etc.. That was all meant
> > as useful feedback to get a better PEP and end result.
> > But if you and Nick as authors refuse my suggestions (mainly:
> > backward compat, more careful reasoning about multi-index ops) then i am
> > currently clearly -1 on the PEP because i think it does more harm than
> > And i'll let it all rest at that for a bit because i don't want to
> > spend more time on it right now.
> I think I responded why I had considered and then rejected the backwards
> compatibility concern. We may just disagree on that point.
> I don’t understand what “more careful reasoning about multi-index ops”
> Maybe if you suggest a rewording or point to a specific part of the PEP
> you think should be removed/edited/added to?
> If you’d rather not do that above that’s fine! Just saying if you care to
> more time on it that maybe an explicit suggestion of what to change in the
> would be easier to understand.
> Donald Stufft
> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> Distutils-SIG maillist - Distutils-SIG at python.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Distutils-SIG