On May 8, 2014, at 11:37 AM, M.-A. Lemburg <m...@egenix.com> wrote: > On 08.05.2014 16:42, M.-A. Lemburg wrote: >> On 08.05.2014 15:58, Donald Stufft wrote: >>> >>> On May 8, 2014, at 9:39 AM, M.-A. Lemburg <m...@egenix.com> wrote: >>> >>>> Well, to be fair and leaving aside uptime concerns and the general >>>> desire to always install packages from some server instead of >>>> a safe and trusted local directory (probably too obvious ;-), >>>> it would certainly be possible to add support for >>>> trusted externally hosted packages. >>> >>> There is support for trusted externally hosted packages, you put the URL in >>> PyPI and include a hash in the fragment like so: >>> >>> http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56 >>> >>> The hash can be md5 or any of the sha-2 family. >>> >>> Now this does not mean that ``pip install cdecimal`` will automatically >>> install >>> this, because whether or not you're willing to install from servers other >>> than >>> PyPI[1] is a policy decision for the end user of pip. >> >> Hmm, if you call that feature "trusted externally hosted packages", >> pip should really do trust them, right ? ;-) >> >> I can understand that pip defaults to not trusting URLs which don't >> meet the above feature requirements, but not that it still warns >> about unreliable externally hosted packages even if the above >> feature is used. >> >> At the moment, pip will refuse to use an externally hosted files even >> if the package author uses the above hashed URLs; even with HTTPS >> and proper SSL certificate chain. > > Could this perhaps be changed/reconsidered for pip ? > > Note that easy_install/setuptools does not have such problems.
Anything can be changes or reconsidered of course. I feel pretty strongly that an installer should not install things from places other than the index without a specific opt in. That discussion would be best done on distutils-sig as it would require reversing the decision in PEP438. I really don't feel strongly one way or the other about the *warning* that happens when you allow an external file. It exists primarily because at the time it was implemented external files were default to allowed. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com