On Monday, February 11, 2013 at 10:32 AM, M.-A. Lemburg wrote:
> On 11.02.2013 08:16, Ronald Oussoren wrote: > > > > On 10 Feb, 2013, at 0:37, Stephen Thorne <[email protected] > > (mailto:[email protected])> wrote: > > > > > On Sat, Feb 9, 2013 at 11:28 PM, Jesse Noller <[email protected] > > > (mailto:[email protected])> wrote: > > > On Feb 9, 2013, at 6:13 PM, Stephen Thorne <[email protected] > > > (mailto:[email protected])> wrote: > > > > > > > Hello, > > > > > > > > One of my concerns with the recent pip dramas that have seen some > > > > excellent and timely action from catalog-sig and others, is that > > > > 'setuptools' is still widely distributed and used instead of > > > > distribute/pip. > > > > > > Well, lets back up: these aren't pip specific problems: just about every > > > client side tool for installing from pypi suffers from lax security. > > > > > > > > > > > Setuptools either needs to be sunset, notices put on pypi, warnings > > > > given to its users, out of linux distros, or it has to upgraded to be > > > > feature compatible with the security updates. > > > > > > > > That's a strong statement I've made, but I feel strongly that something > > > > has to be done. I would like to solicit opinions here before an action > > > > plan is composed. > > > > > > This is a bit of a question mark to me: the reality is that > > > easy_install/setup tools usage is probably still dramatically higher than > > > that of more modern tooling. That, and AFAIK, there are still features of > > > them that the alternatives do not support (binary eggs, which are a must > > > for windows). > > > > > > Yikes. This is something I didn't fully understand until now. Our windows > > > users prefer to use setuptools and eggs? That make sense I guess. > > > > I'm not on windows but don't use pip either. The primary reason for that is > > that pip doesn't offer a compelling enough feature set, as far as I'm > > concerned it just provides a different way to spell the installation > > command ("pip install foo" instead of "easy_install foo"). > > AFAIK, the main reason for a lot of users is the fact that you can > uninstall packages with pip, which easy_install does not support. Among a host of other options, including requirements.txt, easy upgrades, and more. _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
