[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]
Donald Stufft
donald at stufft.io
Thu May 8 17:46:14 CEST 2014
On May 8, 2014, at 11:37 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> On 08.05.2014 16:42, M.-A. Lemburg wrote:
>> On 08.05.2014 15:58, Donald Stufft wrote:
>>>
>>> On May 8, 2014, at 9:39 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>>>
>>>> Well, to be fair and leaving aside uptime concerns and the general
>>>> desire to always install packages from some server instead of
>>>> a safe and trusted local directory (probably too obvious ;-),
>>>> it would certainly be possible to add support for
>>>> trusted externally hosted packages.
>>>
>>> There is support for trusted externally hosted packages, you put the URL in
>>> PyPI and include a hash in the fragment like so:
>>>
>>> http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56
>>>
>>> The hash can be md5 or any of the sha-2 family.
>>>
>>> Now this does not mean that ``pip install cdecimal`` will automatically install
>>> this, because whether or not you're willing to install from servers other than
>>> PyPI[1] is a policy decision for the end user of pip.
>>
>> Hmm, if you call that feature "trusted externally hosted packages",
>> pip should really do trust them, right ? ;-)
>>
>> I can understand that pip defaults to not trusting URLs which don't
>> meet the above feature requirements, but not that it still warns
>> about unreliable externally hosted packages even if the above
>> feature is used.
>>
>> At the moment, pip will refuse to use an externally hosted files even
>> if the package author uses the above hashed URLs; even with HTTPS
>> and proper SSL certificate chain.
>
> Could this perhaps be changed/reconsidered for pip ?
>
> Note that easy_install/setuptools does not have such problems.
Anything can be changes or reconsidered of course. I feel pretty strongly that
an installer should not install things from places other than the index without
a specific opt in. That discussion would be best done on distutils-sig as it
would require reversing the decision in PEP438.
I really don't feel strongly one way or the other about the *warning* that
happens when you allow an external file. It exists primarily because at the
time it was implemented external files were default to allowed.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140508/35c8293a/attachment.sig>
More information about the Python-Dev
mailing list