[Distutils] some questions about PEP470

holger krekel holger at merlinux.eu
Mon Oct 13 14:08:51 CEST 2014


On Mon, Oct 13, 2014 at 12:00 +0100, Paul Moore wrote:
> On 13 October 2014 11:40, holger krekel <holger at merlinux.eu> wrote:
> > and I just noted that the very Python guide on packaging is advertising
> > using plain --extra-index-url for private packages as well:
> >
> > http://docs.python-guide.org/en/latest/shipping/packaging/#personal-pypi
> 
> I can see your point here (I'm not sure I agree with it, but that's a
> separate issue).

Sorry but what is there to agree or discuss?  If recommending
--extra-index-url for private packages does not come with a big fat
warning that you need to publically register the name with PyPI,
it exposes users to direct compromise of their machine, plain and simple.

best,
holger

> If you want to propose a patch for the packaging user
> guide, we can discuss it there.
> 
> > and, besides the need for fixing the various discussions/pages, i think
> > that PEP470 should contribute to a more careful discussion of the feature
> > (it's fine for the actual external linking to existing pypi projects
> > usecase, mind you).
> 
> So if I read you correctly, you're saying that the PEP 470 usage of
> --extra-index-url is fine. That's good.
> 
> I don't think it's the place of PEP 470 to discuss *other* uses of
> --extra-index-url. Having an example in there seemed fine to me, but
> if it brings up issues unrelated to the PEP then I think it's a
> distraction and should be removed. And I believe that's what has
> happened. So again, that's good.
> 
> >  And i guess pip should have a warning note in
> > the option help to help educating users.
> 
> Again, not for the PEP, but feel free to raise a PR for pip (but once
> again, I reserve the right to disagree with that PR when it's raised
> :-)).
> 
> Paul
> 


More information about the Distutils-SIG mailing list