On Thu, Mar 28, 2013 at 2:33 PM, Vinay Sajip <vinay_sa...@yahoo.co.uk> wrote: >> From: Philippe Ombredanne <pombreda...@nexb.com> >> On the other hand, I find it somewhat discomforting as an emerging >> best way to package and distribute self-contained bootstrap scripts.
>> Virtualenv does it, distil is doing it now, pip tried some of it here >> https://github.com/pypa/pip/blob/develop/contrib/get-pip.py >> In contrast, buildout, distribute and setuptools bootstrap scripts do >> not embed their dependencies and either try to get them satisfied >> locally or attempt to download the requirements. > > And all this time, they would have been vulnerable to a MITM attack > on PyPI because PyPI didn't support verifiable SSL connections > until recently. It's good to be cautious, but Bruce Schneier has > plenty of stories about caution directed in the wrong directions. I am not so worried about security... I brought the point here because this is the packaging and distribution list, and I see this as an emerging pattern for the packaging and distribution of bootstrap scripts and this is something that has not been discussed much before. Conceptually I find these no different from setup.py scripts, and these have been mostly normalized (or at the minimum have a conventional name and a conventional if not specified interface.) Yet today, for the all important core package and environment management tools, we have bootstrap scripts each with different interfaces and different approaches to self containment or no containment. I feel this is worth discussing as bootstrapping is where everything begins :) -- Philippe Ombredanne +1 650 799 0949 | pombreda...@nexb.com DejaCode Enterprise at http://www.dejacode.com nexB Inc. at http://www.nexb.com _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
