On Sat, Feb 9, 2013 at 11:28 PM, Jesse Noller <[email protected]> wrote:
> On Feb 9, 2013, at 6:13 PM, Stephen Thorne <[email protected]> wrote: > > > Hello, > > > > One of my concerns with the recent pip dramas that have seen some > excellent and timely action from catalog-sig and others, is that > 'setuptools' is still widely distributed and used instead of distribute/pip. > > Well, lets back up: these aren't pip specific problems: just about every > client side tool for installing from pypi suffers from lax security. > > > > Setuptools either needs to be sunset, notices put on pypi, warnings > given to its users, out of linux distros, or it has to upgraded to be > feature compatible with the security updates. > > > > That's a strong statement I've made, but I feel strongly that something > has to be done. I would like to solicit opinions here before an action plan > is composed. > > This is a bit of a question mark to me: the reality is that > easy_install/setup tools usage is probably still dramatically higher than > that of more modern tooling. That, and AFAIK, there are still features of > them that the alternatives do not support (binary eggs, which are a must > for windows). Yikes. This is something I didn't fully understand until now. Our windows users prefer to use setuptools and eggs? That make sense I guess. With that in mind, it sounds like we're going to have to push patches into setuptools and make a security patch release... Stephen.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
