On 11 Feb, 2013, at 16:52, Jesse Noller <[email protected]> wrote: > > > On Monday, February 11, 2013 at 10:32 AM, M.-A. Lemburg wrote: > >> On 11.02.2013 08:16, Ronald Oussoren wrote: >>> >>> On 10 Feb, 2013, at 0:37, Stephen Thorne <[email protected] >>> (mailto:[email protected])> wrote: >>> >>>> On Sat, Feb 9, 2013 at 11:28 PM, Jesse Noller <[email protected] >>>> (mailto:[email protected])> wrote: >>>> On Feb 9, 2013, at 6:13 PM, Stephen Thorne <[email protected] >>>> (mailto:[email protected])> wrote: >>>> >>>>> Hello, >>>>> >>>>> One of my concerns with the recent pip dramas that have seen some >>>>> excellent and timely action from catalog-sig and others, is that >>>>> 'setuptools' is still widely distributed and used instead of >>>>> distribute/pip. >>>> >>>> Well, lets back up: these aren't pip specific problems: just about every >>>> client side tool for installing from pypi suffers from lax security. >>>> >>>>> >>>>> Setuptools either needs to be sunset, notices put on pypi, warnings given >>>>> to its users, out of linux distros, or it has to upgraded to be feature >>>>> compatible with the security updates. >>>>> >>>>> That's a strong statement I've made, but I feel strongly that something >>>>> has to be done. I would like to solicit opinions here before an action >>>>> plan is composed. >>>> >>>> This is a bit of a question mark to me: the reality is that >>>> easy_install/setup tools usage is probably still dramatically higher than >>>> that of more modern tooling. That, and AFAIK, there are still features of >>>> them that the alternatives do not support (binary eggs, which are a must >>>> for windows). >>>> >>>> Yikes. This is something I didn't fully understand until now. Our windows >>>> users prefer to use setuptools and eggs? That make sense I guess. >>> >>> I'm not on windows but don't use pip either. The primary reason for that is >>> that pip doesn't offer a compelling enough feature set, as far as I'm >>> concerned it just provides a different way to spell the installation >>> command ("pip install foo" instead of "easy_install foo"). >> >> AFAIK, the main reason for a lot of users is the fact that you can >> uninstall packages with pip, which easy_install does not support. > > Among a host of other options, including requirements.txt, easy upgrades, and > more.
Sure, and I'd love to see something like pip in the std library. With wheel files (PEP 427), metadata 1.3 (PEP 426) and the database of installed packages in PEP 376 it should be possible to create a basic, but fully functional, version of a packaging tool in the stdlib that interoperates nicely with more advanced tools like pip and buildout. The hardest part would be creating a generic interface for building wheel files that doesn't rely on distutils (but without excluding it). Anyways, not using pip doesn't mean having a hopelessly outdated build system :-) Ronald > > > > _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
