[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PEP 453 affects Debian packaging of Python packages

Am 19.09.2013 00:36, schrieb Scott Kitterman:
> 
> 
> Paul Tagliamonte <paultag@debian.org> wrote:
>> On Wed, Sep 18, 2013 at 05:41:52PM +0200, Piotr Ożarowski wrote:
>>> ok, I forgot to add ";)", but...
>>
>> Sure, but let's be more careful - I don't want people quoting "Debian
>> Python" people telling people they're going to purge pip from the
>> archive...
>>
>> It's all too often I hear people complain about Debian at PyCon, and
>> I'm
>> getting sick and tired of it.

to be fair, they complain about any system shipped python.

> Hostile proposals like this don't exactly help build peace, love, and understanding. 

so calling the proposal hostile builds peace, love, and understanding?

>>> Don't get me wrong, I think pip has some valid use cases (f.e. inside
>>> virtalenv), I even recommend it sometimes, but forcing us to use it
>>> instead of our (much better) tools / breaking things we carefully
>>> prepared for our users is just not acceptable.
>>
>> I don't disagree, but this isn't a reason to hate on pip. This is a
>> reason to tell the people who wrote this proposal we'd likely not
>> comply, but leave it as an installable component for development work.

sure, and telling it in this way doesn't raise anyone's blood pressure.

> If I understood the proposal correctly, security is to be bolted on later. Given the global threat environment, I am against introducing a new code installation mechanism that is not cryptographically verified. It might enter the archive once that's fixed, but I think not before. 

so security stays at the same level as before.  If you think you have to add
something to the pep, then do it and work together with the pep maintainers.  Be
prepared to spend some time, to work with and understand the windows and macosx
ports and the different installers / python distributions.  Do you want to do
this?  Write a pep about integration with system packaging, and submit it, and
implement it.  Looking at something similar in the Java world you'll find this
difficult to get a broad consensus, see the more than once delayed jsr277.

The only thing I can see in this thread is that a lot of pressure/opposition is
built up on the Debian side, and I currently cannot see why exactly.  pip
installs (when using the system python) should go to /usr/local, if not then pip
should be patched. Maybe give a warning, or require an extra option to run as
--yes-run-as-root, or maybe give a hint installing the deb package.

  Matthias
Reply to: