[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]

Donald Stufft donald at stufft.io
Thu May 8 16:37:15 CEST 2014 

On May 8, 2014, at 10:21 AM, R. David Murray <rdmurray at bitdance.com> wrote:

> On Thu, 08 May 2014 10:11:39 -0400, "R. David Murray" <rdmurray at bitdance.com> wrote:
>> On Thu, 08 May 2014 09:58:08 -0400, Donald Stufft <donald at stufft.io> wrote:
>>> I don't think the warning is FUD, and it doesn't mention anything security
>>> related at all. The exact text of the warning is in the subject of the email
>>> here:
>>> 
>>>    cdecimal an externally hosted file and may be unreliable
>>> 
>>> Which is true as far as I can tell, it is externally hosted, and it may be
>>> unreliable[1]. If there is a better wording for that I’m happy to have it and
>>> will gladly commit it myself to pip.
>>> 
>>> [1] In my experience dealing with complaints of pip's users, one of their big
>>>    ones was that some dependency they use was, typically unknown to them,
>>>    hosted externally and they found out it was hosted externally because the
>>>    server it was hosted on went down.
>> 
>> "unreliable" reads as "not safe", ie: insecure.
>> 
>> You probably want something like "and access to it may be unreliable".
> 
> Actually, thinking about this some more, *most* end-users aren't going
> to care that there's another point of failure here, they only care if it
> works or not when they try to install it.  So something like
> "cdecimal is not hosted on pypi; download may fail if external server
> is unavailable" might be clearer.
> 
> And once you're at that point, as a user I'm going to grumble, "Well, why
> the heck didn't you just try?", as I figure out how to re-execute the
> command so that it does try.
> 
> --David
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io

Most users are not going to care up until the point where the external server
is unavailable, and then they care a whole lot. On the tin it sounds reasonable
to just download the external file if the server is up however we've done
that for a long time and the end result has been end user pain.

Now requiring someone to add a flag in order to download an externally hosted
file is also end user pain. The difference between the two pains is when they
happen. The requiring a flag pain happens at the point of decision, when you
decide to make your deployment depend on something hosted externally. The 
default to allow pain happens sometime in the future, when you may or may not
have any idea why suddenly your installs aren't working (and when you look,
PyPI is up so you're really very confused why this particular file doesn't
work). Even worse is the case when a project has some old files, but the newer
versions aren't hosted and suddenly people are getting very old releases which
is even more confusing to the end users.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140508/c846cb77/attachment.sig>

More information about the Python-Dev mailing list