On Sun, Feb 10, 2013 at 9:37 AM, Stephen Thorne <step...@thorne.id.au> wrote: > On Sat, Feb 9, 2013 at 11:28 PM, Jesse Noller <jnol...@gmail.com> wrote: >> On Feb 9, 2013, at 6:13 PM, Stephen Thorne <step...@thorne.id.au> wrote: >> > Setuptools either needs to be sunset, notices put on pypi, warnings >> > given to its users, out of linux distros, or it has to upgraded to be >> > feature compatible with the security updates. >> > >> > That's a strong statement I've made, but I feel strongly that something >> > has to be done. I would like to solicit opinions here before an action plan >> > is composed. >> >> This is a bit of a question mark to me: the reality is that >> easy_install/setup tools usage is probably still dramatically higher than >> that of more modern tooling.
One thing to keep in mind is that at least Fedora, and I believe other distros, actually ship distribute rather than vanilla setuptools. Migrating from insecure infrastructure is going to be a slow process, the immediate task is to make such a migration possible by: 1. Getting the server side in order 2. Offering at least one tool that better handles the security side of things > That, and AFAIK, there are still features of >> them that the alternatives do not support (binary eggs, which are a must for >> windows). > > Yikes. This is something I didn't fully understand until now. Our windows > users prefer to use setuptools and eggs? That make sense I guess. Many of the changes in PEP 426, and Daniel Holth's wheel PEPs arise directly from asking the question "Why are some people still using setuptools rather than the alternatives?". Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
