On Tue, Mar 12, 2013 at 3:16 PM, PJ Eby <p...@telecommunity.com> wrote: > I'm confused by this statement. "never access an external host" is > not consistent with "have the option to specify what hosts you trust", > while still keeping PyPI as a universal index of Python software.
Sorry to be confusing! I'm trying to make a distinction between the out-of-the-box defaults and optional... options. Here's what I mean: imagine I'm new to Python and getting started. I grab my machine, install Python (via apt-get, homebrew, from source, whatever), and grab whatever the programmer next to me at work tells me is latest and greatest in the packaging world. No configuration, no editing of a config file, no reading of documentation, just `apt-get install python python-pip` or the equivalent. Now I type `pip install Django`. Again, with no configuration, no tweaking, no editing of anything, and no real understanding of what's going on. The point I'm trying to make is that I consider it absolutely critical that this by-the-defaults approach gets me the *best* security the Python ecosystem has to offer. So this means no external packages, it also means signing and verifying once that infrastructure is in place [1]. On the other hand, the "have the option" means that `pip install <url>` needs to continue to work, too. Is that clear? Again I'm sorry if I'm being confusing; I think I'm having "translate from brain to keyboard" fail. > I'm just saying, we don't need to change PyPI to do anything but drop > the rel="" links, and change the tools to default allow-hosts to equal > index-url. (pip has the same parameters, not sure what config files > it uses, though. I don't think it inherits [easy_install] settings, > though.) As I've said, the implementation details aren't of a concern to me; the result is. Jacob [1] This is also an important step a bit further down the line is eliminating or drastically reducing the use of an executable setup.py. But that's another show. _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
