[Distutils] PEP470 installation security problems

M.-A. Lemburg mal at egenix.com
Wed Oct 8 20:35:21 CEST 2014

On 08.10.2014 16:04, Donald Stufft wrote:
>> I'd also like to request that you take Holger's concerns more
>> seriously, perhaps add him as PEP author and let him participate
>> in clarifying it (if he still feels like investing time in this).
> I take all concerns and feedback seriously else I wouldn’t spend the many
> hours I’ve spent just this morning responding to them. I don’t grok what
> Holger’s actual concern is so it’s hard to turn those concerns into anything
> actionable I can actually do on the PEP.

Holger has made his points very clear in his emails.

If you don't follow/grok his reasoning it may indeed be better to
have him edit the PEP to add his improvements/changes.

I share his view that it is not necessary to break existing
setups to add multi-index support. This can be implemented as
simple extension to what we already have:

Simply add the possibility for authors to register external indexes,
have pip, setuptools, et al. crawl these in addition to what's
up on the PyPI package page (using the logic that has existed in
these tools for years) and then let the author decide whether they
want to remove existing downloads from PyPI or not.

This allows for older installations to continue working, while
also (optionally) supporting a setup which does not use PyPI for
hosting at all.

BTW: For eGenix we've chosen to use a different approach, one
that is based on a Python web installer. I gave a talk about this at
PyCon UK, in case you're interested:
(talk video here:
This solves the issues with the pip user experience for our packages,
solves the download selection issues for the binaries, works with
all Python versions we support and assures that the downloads
are safe. It's still work in progress, but already quite usable.

Marc-Andre Lemburg

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Distutils-SIG mailing list