[Distutils] Entry points: specifying and caching
Nick Coghlan
ncoghlan at gmail.com
Sat Oct 21 02:59:52 EDT 2017
On 21 October 2017 at 06:50, Daniel Holth <dholth at gmail.com> wrote:
> I like the idea of lifecycle hooks but I worry about the malware problem;
> would there need to be a blacklist / whitelist / disable system?
> (ignore-scripts=true is now a recommended part of anyone's npm
> configuration) That is why we have avoided any kind of (package specific)
> hooks to wheel. However hooks would be a very elegant way to avoid worrying
> about core pip functionality since it wouldn't be core functionality.
>
Yeah, here's the gist of what I had in mind regarding the malware problem
(i.e. aiming to ensure we don't get all of setup.py's problems back again):
- a package's own install hooks do *not* get called for that package
- hooks only run by default inside a virtualenv as a regular user
- outside a virtualenv, the default is "hooks don't get run at all"
- when running with elevated privileges, the default is "hooks don't get
run at all"
There are still some open questions with it (like what to do with hooks
defined in packages that get implicitly coinstalled as a dependency), and
having the default behaviour depend on both "venv or not" and "superuser or
not" may prove confusing, but it would avoid a number of the things we
dislike about install-time setup.py invocation.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20171021/e6ca104d/attachment.html>
More information about the Distutils-SIG
mailing list