I very much dislike things that automatically download and install
software. An automatic installer may find a different version of a
supporting package every time I install software on another machine.
if the application asks for the different version then yes it should
download the version that was asked for and installed for that
application. It will only find a different version each time if the
application asks for it.
Here is an example of the scenario I am trying to avoid:
Suppose the package foobar asks for "xyzzy > 2.3".
On machine Fred, I install foobar on Tuesday. I do not even know that
foobar needs xyzzy, so unless I watch the install closely, Fred may have
xyzzy 2.4 installed.
On machine Barney, I install foobar on Wednesday. I do not know there
was a new release of xyzzy overnight, but Barney now has xyzzy 2.5
installed.
Six months from now, my user says "YOUR program is broken - it doesn't
do the same thing on Fred and Barney".
I figure out that it is the version of xyzzy, then decide that the
correct answers come when I use 2.4. It was automatically installed, so
I don't have a copy of it in my archive of source code. I try to
download it, but I can only find 2.5, 2.6, and 2.7 online.
What do I do?
Compare with:
On machine Fred, I install foobar on Tuesday, but I use --no-automatic.
It says "You must have xyzzy > 2.3".
I download xyzzy 2.4 to my collection of source code, install it on
Fred, then install foobar. Everything works.
On Wednesday, I install, on Barney, xyzzy 2.4 from my collection of
source code and my own package foobar.
Six months from now, my user sees that my program does the same thing on
Fred and Barney.
I keep careful track of what is installed on all my machines. If the
tool automatically installs any version other than the one I
specified, then the tool is working _against_ me. I don't need that.
No it is working like the application writer specified it.
I agree, except for the part where you said "No". :)
I think the correct description is "Yes! It is working like the
application writer specified it, but it is making proper configuration
control difficult."
Ideally, there would be a flag that says "if you can't find
something, give me an error -- do not attempt to download/install
anything". But it would be helpful if it can tell me "Package xyzzy
is missing, but you can get it from here:..."
This I agree, it should have a way to ignore some requests or even all
requests of the application that is launched, maybe even have a
configuration file somewhere (or a registry key, or a plist file
depending on the os) that override the default, which I think should
be give the running application the version that it specifies
(standard packaging version rules apply, if it asks for package >=1.0
then any version newer than 1.0 is sufficient)
Good point -- we need two options here:
1. do not download/install anything, just raise an error
2. use the version module XXX that I have, even though the package says
it is not suitable
But this is just a proposition that I think will never be able to work
with python without security or only signed and pre approved packages
on pypi.
Is it really different from what setuptools already does?
Do we know how CPAN handles security?
Mark S.
_______________________________________________
Distutils-SIG maillist - [email protected]
http://mail.python.org/mailman/listinfo/distutils-sig
