[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]

Donald Stufft donald at stufft.io
Thu May 8 15:58:08 CEST 2014 

On May 8, 2014, at 9:39 AM, M.-A. Lemburg <mal at egenix.com> wrote:

> Well, to be fair and leaving aside uptime concerns and the general
> desire to always install packages from some server instead of
> a safe and trusted local directory (probably too obvious ;-),
> it would certainly be possible to add support for
> trusted externally hosted packages.

There is support for trusted externally hosted packages, you put the URL in
PyPI and include a hash in the fragment like so:

http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56

The hash can be md5 or any of the sha-2 family.

Now this does not mean that ``pip install cdecimal`` will automatically install
this, because whether or not you're willing to install from servers other than
PyPI[1] is a policy decision for the end user of pip. The only real contention
point there is whether installing from other servers should be on or off by
default. PEP438 selected off by default, and I agree with that decision.
Installing externally hosted files, which are able to be safely downloaded[2],
was a surprising behavior to *everyone* I've talked to who hadn't already
discovered that pip/easy_install did that. For the people it wasn't surprising
too, they said it was surprising when they had originally discovered it[3].

[1] To be specific, other than the configured index(es), which happens to
    default to PyPI.
[2] For the definition of safe that PyPI/pip operate under, which is that the
    author of a package is assumed to be trusted by the person electing to
    download their package.
[3] I suspect people who were around when PyPI *couldn't* host files and were
    only an index would be the exception to this.

> 
> However, for some reason there's a strong resistance against
> doing this, which I frankly don't understand.
> 
> I agree with Stefan that the warning message wording is less
> than ideal. You'd normally call such blanket statements FUD,
> esp. since there are plenty external hosting services which
> are reliable and safe to use.
> 

I don't think the warning is FUD, and it doesn't mention anything security
related at all. The exact text of the warning is in the subject of the email
here:

    cdecimal an externally hosted file and may be unreliable

Which is true as far as I can tell, it is externally hosted, and it may be
unreliable[1]. If there is a better wording for that I’m happy to have it and
will gladly commit it myself to pip.

[1] In my experience dealing with complaints of pip's users, one of their big
    ones was that some dependency they use was, typically unknown to them,
    hosted externally and they found out it was hosted externally because the
    server it was hosted on went down.



-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140508/199c08d1/attachment.sig>

More information about the Python-Dev mailing list