[Python-ideas] from __pip__ import
Nick Coghlan
ncoghlan at gmail.com
Wed Sep 21 11:46:01 EDT 2016
On 21 September 2016 at 06:59, Chris Angelico <rosuav at gmail.com> wrote:
> On Wed, Sep 21, 2016 at 4:58 AM, אלעזר <elazarg at gmail.com> wrote:
>> I think that combining user convenience and security considerations, there
>> should be some way to invoke a GUI version of pip with flashing screen
>> asking for permissions to install the library. In situations where
>> interaction with the user is not trivial (i.e. when you don't have GUI
>> accessible) we can assume that the user is knowledgeable enough to install
>> the dependencies by herself. The import statement will be self explanatory
>> in this case.
>
> There have been talks of linking pip with Idle, which might do what
> you want. I don't know how that has progressed, but it'd be something
> to look into.
The issue for that is here: http://bugs.python.org/issue27051
It turns out the fact IDLE is sometimes used to teach *complete*
novices creates a problem for that concept, as learning to safely
navigate the free-for-all that is PyPI is actually a pretty advanced
development skill vs using a more curated collection like a Linux
distro or conda (where there are entities behind them that promise
that the code you download will be both non-hostile and at least
arguably useful, as opposed to PyPI where the only promise we make is
"the code you download will be the code the publisher uploaded"
without any attestation, good or otherwise, regarding the
trustworthiness of the publisher). A whitelist where we pre-approve a
bunch of known-safe components (perhaps even populated automatically
from the conda ecosystem) might resolve that, but we really do need
some form of curation if we're proposing to offer this as a default
capability to learners that aren't even familar with their system
command line yet.
There's also an open issue at
https://github.com/pypa/python-packaging-user-guide/issues/267
regarding improving the documentation on packaging.python.org that
points folks towards the various bundling utilities that can given
them installers and self-contained scripts for execution on end user
systems.
In that domain, a potentially useful addition would be a clear recipe
for how to combine a script and a PyPI requirements file, into a
zipapp archive that bundles all those dependencies along with the
script as __main__.py.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-ideas
mailing list