[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]

Donald Stufft donald at stufft.io
Thu May 8 18:57:00 CEST 2014


On May 8, 2014, at 12:42 PM, R. David Murray <rdmurray at bitdance.com> wrote:

> On Thu, 08 May 2014 11:32:28 -0400, Donald Stufft <donald at stufft.io> wrote:
>> On May 8, 2014, at 11:21 AM, R. David Murray <rdmurray at bitdance.com> wrote:
>>> Ah, I understand now.
>>> 
>>> Your perspective is as someone who is using pip for *deployment*.
>> 
>> Deployment, or any kind of situation where you want to have a reproducible
>> build. Generally via deployment yes.
> [...]
>> For Python with pip you can use a requirements.txt file to create a set of
>> dependencies that are pinned to exact versions like:
>> 
>> foo==2.0
>> bar==2.3
>> 
>> And pip will (theoretically, our dep solving is real bad ATM) install exactly
>> those versions from your index server. Generally this means PyPI which
> 
> OK, this makes sense, then.  (I wish perl/cpan had something
> similar...maybe it does, but I couldn't find it at the time.)
> 
> This still leaves the fact that there is a disconnect between the
> "needs" of two different audiences for PIP: people who deploy things,
> and everyone else who just uses pip to install stuff.

Yup balancing between the two is something we have to do in every
decision we make. When PEP438 was being discussed I did a pretty
extensive amount of investigation into what affect this change would
have [1]. What I found was that:

- The sizable majority was projects would host things on PyPI
- There was a significant chunk of projects where a single release or two
  would only be available externally and it was an accident that they weren’t
  uploaded.
- Of the links that were available externally, very few of them were available
  in a way that was verifiable and were thus insecure to install.

Because of this it was determined that simply allowing externally hosted
files without also allowing externally hosted and unverified files would not
actually have a significant impact for the vast bulk of the projects that
were not hosted on PyPI.

> 
> The second group is going to overwhelm the first group, if it doesn't
> already.

Generally yes, because not every who uses pip to deploy uses pip to
install locally, but most people who use pip to deploy also use pip
locally.

> 
> And I think that's all the comments I have on this issue :)

[1]: https://github.com/dstufft/pypi.linkcheck

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140508/46899527/attachment.sig>


More information about the Python-Dev mailing list