On Thu, Feb 28, 2013 at 7:38 PM, PJ Eby <p...@telecommunity.com> wrote: > I can't speak to pip, but since the relevant bits of distribute are > 95% the same as setuptools, I think I can say that it will have the > same technical issues, and that warning based on lack of an > --allow-hosts will be both simpler to implement and easier to make > secure.
I was thinking on simply checking that it used the same host as index_url, but checking against allow-hosts does seem quite reasonable. >> 2. After a pre-determined period (6 months?) new versions are again >> released that no longer download from external sites, unless a >> parameter is added. We still warn when the parameter is added that >> this feature will go away. > > I'd suggest that this be simply making the default --allow-hosts point to > PyPI. I think a deprecation period is advisable, so we don't just break things suddenly and make everyone angry. >> 3. New versions of pip and distribute will check these version numbers >> and warn (but not fail) if the major version increases, noting that >> it's time to upgrade. > > I think we should do something more like what MAL is proposing, which > means that the current "API" can disappear altogether when the new > tools arrive. Works for me. //Lennart _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig