On Fri, Feb 15, 2013 at 7:28 PM, Tarek Ziadé <[email protected]> wrote: > Looks completely legit to me, unfortunately... So until we catch that fish, > damage can already be done.
When you're already in a (security) hole, the first thing you need to do is *stop digging*. We have a handful of projects which need to trusted way to distribute a Python script in order to bootstrap installation tools on current versions of Python. That's a real problem, and this proposal is a good solution for that. Generalising that to grant the ability to upload arbitrary bootstrap scripts to every project for no good reason is making a bad situation worse, for zero payoff. So let's not do that. For projects other than distribute or pip, the bootstrap process should be: 1. Bootstrap pip 2. pip install project Or, if the project needs egg support: 1. Bootstrap distribute 2. easy_install project Cheers, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
