[Distutils] PEP470 installation security problems

M.-A. Lemburg mal at egenix.com
Wed Oct 8 20:09:11 CEST 2014

On 08.10.2014 15:15, Paul Moore wrote:
> On 8 October 2014 13:55, M.-A. Lemburg <mal at egenix.com> wrote:
>> If pip decides to go with a strategy that ignores this, I think we
>> have a problem. The core developers put trust into pip when allowing
>> it to (effectively) get distributed with Python and making it the
>> default Python packaging manager. Please use that trust with the
>> appropriate care and respect.
> Just to clarify - the pip team (I hope I speak for all of us) fully
> understand the implications of being the de facto standard package
> manager. And we appreciate the trust placed in us by the fact that pip
> is distributed with Python. But at the same time, that trust was given
> on the basis that (presumably) we have a track record of doing things
> right, in an area that is notoriously full of heated discussions and
> conflicting opinions. So what we'd like to do is to continue handling
> things in the same way as always, working with the packaging
> community.
> In particular, that means that we did not align ourselves to the
> CPython development model (as it is designed for a very different
> community and set of problems). But we do want to adopt their good
> practices where possible and appropriate. One of those is the PEP
> process - but it's not entirely suitable (see the trail of PEPs from
> the distribute/packaging/distutils2 era, for why). So we're trying to
> get things right, and in the process we're learning - for example, the
> failure of PEP 438 taught us that specifying installer behaviour too
> closely in a PEP means we can't fix problems that are completely
> messing up our users. But we still believe in the PEP process (anyone
> who thinks otherwise hasn't noticed the amount of effort Donald, in
> particular, is putting into all the PEPs in progress). It doesn't mean
> that it can be treated as a way of forcing us not to do what we think
> is right for the pip user base, though.

Thanks for your clarification, Paul.

I just want to remind everyone that PEPs can be augments and mistakes
can be fixed by superseding one PEP with another. It's a well
working process, one that is accepted in Python land and in line
with the core development process.

Since pip now is part of the Python stdlib (even though not bound
by its release process), and the pip user base is identical with
the CPython user base, the PEP process also applies to pip.

That's the consequence of playing the role of an officially
sanctioned part of the ecosystem and comes as part of the
responsibility resulting from PEP 435.

So far this has worked out well, which is why I'm surprised
by some statements in this discussion.

Marc-Andre Lemburg

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Distutils-SIG mailing list