[Distutils] Beyond wheels 1.0: helping downstream, FHS and more

Chris Barker chris.barker at noaa.gov
Thu Apr 16 18:58:08 CEST 2015


On Wed, Apr 15, 2015 at 2:23 PM, Paul Moore <p.f.moore at gmail.com> wrote:

> In the PEP, there's a concept of "optional" vs "required" extensions.
> See https://www.python.org/dev/peps/pep-0426/#required-extension-handling.
> This is crucial - I've no problem if a particular extension is used by
> a project, as long as it's optional. I won't install it, so it's fine.
> It seems to me that pip *has* to ignore missing optional extensions,
> for this reason. Of course, that introduces the converse problem,
> which is how would people who might want that extension to be
> activated, know that a project used it?
>

Exactly -- we do want "pip install" to just work...


>  But I worry that some people may have a more liberal definition
> of "required" than I do.


They probably do -- if they want things to "just work"

We have the same problem with optional dependencies.

For instance, for iPython to work, you don't need much. but if you want the
ipython notebook to work, you need tornado, zeromq, who knows what else.
But people want it to just work -- and just work be default, so you want
all that optional stuff to go in by default.

I expect this is the same with wheel installer extensions. To use your
example, for instance. People want to do:

pip install sphinx

and then have the sphinx-quickstart utility ready to go. by default. So
scripts need to be installed by default.

The trade-off between convenience and control/security is tough.


> Based on the above, it's possibly valid to allow "required" extensions
> to be auto-installed. It *is* a vector for unexpected code execution,
> but maybe that's OK.
>

If even required extensions aren't auto installed, then we can just toss
out the whole idea of automatic dependency management. (which I personally
wouldn't mind, actually, but I'm weird that way)

But maybe we need some "real" use cases to talk about -- I agree with
others in this thread that the Start menu isn't a good example.

-Chris




-- 

Christopher Barker, Ph.D.
Oceanographer

Emergency Response Division
NOAA/NOS/OR&R            (206) 526-6959   voice
7600 Sand Point Way NE   (206) 526-6329   fax
Seattle, WA  98115       (206) 526-6317   main reception

Chris.Barker at noaa.gov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20150416/91903ffe/attachment-0001.html>


More information about the Distutils-SIG mailing list