[Catalog-sig] Proposal for the bootstrap API

Fri Feb 15 21:29:50 CET 2013

On Fri, Feb 15, 2013 at 8:10 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On Fri, Feb 15, 2013 at 10:25 PM, Tarek Ziadé <tarek at ziade.org> wrote:
>> Anyways: I am withdrawing my proposal - if we're special-casing a few
>> projects,  why bother creating a new API in the first place ?
>
> That's why I asked how frequently the bootstrap files needed updates
> earlier - if they're fairly static, then simply asking for a copy to
> be hosted on PyPI and documenting that as the canonical location is by
> far the most straightforward solution.
>
> The only reason for an API would be if the projects wanted to be able
> to update them directly without asking the PyPI admins to upload a new
> version (and, as you note, that could potentially be handled via
> ssh/scp config rather than via the PyPI web app).

Also, it may make sense to get rid of the bootstrap files in the long
run anyway.  ez_setup started the whole business with only one real
function: to solve the chicken-and-egg problem of allowing developers
to make use of dependencies without first needing their users to
install setuptools.  Is that a problem that actually needs solving any
more, almost a decade later?

(Apart from that use, the only thing it's good for is helping 64-bit
Windows users install the right version of setuptools in the right
place, and there will probably be a better fix for that eventually as
well.)

Buildout actually has a better reason than any of the other projects
to keep a bootstrap file around, and that's that it's targeted at a
general sysadmin audience not steeped in Python packaging lore.  So
having a bootstrap makes a lot of sense...   except that there's no
reason it needs to live on PyPI, per se.  Zope corp. undoubtedly has
secure hosting and certs of their own, and the very thing that makes
them need a bootstrap script means that the people who need it don't
really care *what* secure source they pull it from.

It's possible I'm misunderstanding some things there, and I hope Jim
will chime in with corrections if applicable.  But I'm thinking maybe
instead of working out PyPI hosting for these things, we should just
get rid of them or host them elsewhere.  (I have at least one domain
w/a trusted cert that could be used, for example.)

(One additional point, though: for ez_setup.py's main use case, it's
currently distributed by way of anonymous SVN, and zillions of source
packages already hosted on PyPI.  Most of the time, the copy somebody
uses *already* came from somewhere other than the primary source.
Factor *that* into the phishing scenarios for a bit...)