[Python-Dev] Status of packaging in 3.3

Fri Jun 22 13:27:19 CEST 2012

On 22 June 2012 11:28, Dag Sverre Seljebotn <d.s.seljebotn at astro.uio.no> wrote:
> And I'm saying that would encourage a culture that's very dangerous from a
> security perspective. Even if many uses binaries, it is important to
> encourage a culture where it is always trivial (well, as trivial as we can
> possibly make it, in the case of Windows) to build from source for those who
> wish to.

And what I am trying to say is that no matter how much effort gets put
into trying to make build from source easy, it'll pretty much always
not be even remotely trivial on Windows. There has been a lot of work
done to try to achieve this, but as far as I've seen, it's always
failed. One external dependency, and you're in a mess. Unless you're
proposing some means of Python's packaging solution encapsulating URLs
for binary libraries of external packages which will be automatically
downloaded - and then all the security holes open again.

You have to remember that not only do many Windows users not have a
compiler, but also getting a compiler is non-trivial (not hard, just
download and install VS Express, but still a pain to do just to get
(say) lxml installed). And there is no standard location for external
libraries in Windows, so you also need the end user to specify where
everything is (or guess, or mandate a directory structure).

The only easy-to-use solution that has ever really worked on Windows
in my experience is downloadable binaries. Blame whoever you like,
point out that it's not good practice if you must, but don't provide
binaries and you lose a major part of your user base. (You may choose
not to care about losing that group, that's a different question).

Signed binaries may be a solution. My experience with signed binaries
has not been exactly positive, but it's an option. Presumably PyPI
would be the trusted authority? Would PyPI and the downloaders need to
use SSL? Would developers need to have signing keys to use PyPI? And
more to the point, do the people designing the packaging solutions
have experience with this sort of stuff (I sure don't :-))?

Paul.