[Python-Dev] Installation requirements

A.M. Kuchling akuchlin@mems-exchange.org
Tue, 20 Jun 2000 21:46:43 -0400 

[Follow-up to the Distutils SIG, please.]

There are a few steps needed to find and install a package:
1) Discovery : which module does what I need?
2) Download  : where can I get a copy?
3) Security  : is this actually from the package author, and not a Trojan?
4) Installation : how do I set it up?
5) Checking for new versions: I have 1.0 installed; is a newer version 
   available?

Distutils focuses on the hardest and most complicated step, #4.  

For #1, you would need to browse through a list of available packages,
browse through a hierarchy like Parnassus, or do keyword searches.

#2 is pretty simple, since you just get one or more download URLs
corresponding to a given package name, using the same database as in
#1.

For #3, you'd have to check a signature on the downloaded package,
using something external like GnuPG.  This means this step has to be
skipped if the external tool isn't available.  We could implement our
own signature scheme with Python code, but that's a bad idea; security
is hard, and few people will bother to generate keys that are only
useful for this one application of distributing Python modules.  (Side
note: the sdist and bdist_* commands should have a --sign switch to
sign the generated .tgz, .rpm, or whatever file.)

For #5, the existing stuff in Tools/versioncheck might be partially
applicable, though it requires that every package have a text file
somewhere which gives the latest version.  You'd want to use the same
database for everything, to ensure that people actually use it!

To start off with, we'd need some sort of generic API to the above
functions, so that different interfaces can be written.  A
command-line interface would then be easiest.

I don't know how network communications should be handled: HTTP to CGI
scripts that return sets of RFC-822 headers, maybe?  Combined with a
DNS alias like modules.python.org, or modules.{us,uk,...}.python.org?

Some potential sources of inspiration:

Debian: apt
Perl: CPAM.pm
FreeBSD: ports system
RPMfind (rpmfind.net)
XEmacs: packages system

-- 
A.M. Kuchling			http://starship.python.net/crew/amk/
  "Jo, it's a pity escapology wasn't part of your curriculum."
  "Funny you should say that. Look." <shows untied hand>
  -- The Doctor and Jo, tied up, in "Terror of the Autons"