[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PEP 453 affects Debian packaging of Python packages


Paul Tagliamonte <paultag@debian.org> wrote:
>On Wed, Sep 18, 2013 at 05:41:52PM +0200, Piotr Ożarowski wrote:
>> ok, I forgot to add ";)", but...
>
>Sure, but let's be more careful - I don't want people quoting "Debian
>Python" people telling people they're going to purge pip from the
>archive...
>
>It's all too often I hear people complain about Debian at PyCon, and
>I'm
>getting sick and tired of it.

Hostile proposals like this don't exactly help build peace, love, and understanding. 

>> >   1) pip isn't for global package management, for this is stupid.
>If we
>> >      disabled root use of pip, I think we'd all be a bit happier.
>> 
>> tell that to most (sic!) Python app/library authors who recommend to
>
>I don't need to - this is a pretty commonly accepted fact with
>pythonistas. Most people know not to run pip with sudo on a sane linux
>system.
>
>> "sudo pip/ez_install ..." in their README files in order to install
>> their software (and tools like pip do not care that given files
>exist,
>> they just overwrite them (did rpm or dpkg do this 10 years ago?), not
>to
>> mention that they do that in /usr and not in ~/.local or at least
>> /usr/local (which they should not touch as well, BTW, only admins
>can,
>> but how can they know that? Why should developer on Windows care
>about
>> FHS?)
>> 
>
>
>> Don't get me wrong, I think pip has some valid use cases (f.e. inside
>> virtalenv), I even recommend it sometimes, but forcing us to use it
>> instead of our (much better) tools / breaking things we carefully
>> prepared for our users is just not acceptable.
>
>I don't disagree, but this isn't a reason to hate on pip. This is a
>reason to tell the people who wrote this proposal we'd likely not
>comply, but leave it as an installable component for development work.

If I understood the proposal correctly, security is to be bolted on later. Given the global threat environment, I am against introducing a new code installation mechanism that is not cryptographically verified. It might enter the archive once that's fixed, but I think not before. 

Scott K
Reply to: