[Pythonmac-SIG] PackageManager / Python 2.3.x - 2.4 ideas
Bob Ippolito
bob at redivi.com
Wed Jul 30 18:01:51 EDT 2003
These are some ideas for future versions of Package Manager and
friends...
Should remove shell executable dependencies because python does these
tar
unzip
zip
curl
(not sure if it uses there or not)
rm
mv
Should leverage metadata from PyPI in some way
Should read proxy settings from OS X rather than using environment
variables.. allow a user override, store this as a preference
Should allow user to override 'scratch area', they might not always
have space in /tmp .. store this as a preference
We should write a cross-platform "preferences" module for python that:
Uses the registry in win32 to determine a folders for global/user
plists, and then uses that :)
Uses ~/Library/Preferences/plists and /Library/Preferences/plists in
OS X
Uses somewhere/plists for global settings on unix and
~/.dotfolder/plists in UNIX
Not have separate plist files for each distutils.util.get_platform() --
this is only semi-useful for binary OS X packages, and not useful at
all for other operating systems.
Have a cryptographically authenticated way of determining the
authenticity of 'stuff'. My search to find a pure python way to do
this failed miserably, *everyone* is using C sourcecode for this. So
my proposal for this would be to have two options (1) execute the
openssl utility if available (2) use pyOpenSSL to do it. With CPAN for
example, if you don't have a perl module to do something, it will use
whatever shell utility it can find to do the task until you actually
install the module that CPAN is looking for. I'm doing some research
to figure out what would be a good way to actually execute this. I'm
thinking that Python becomes a central CA, and package repository
maintainers get certificates from the Python CA. Perhaps it may also
be possible to have a package repository maintainer authorize an
individual package maintainer to manage their package (perform releases
directly without bothering the package repository maintainer), perhaps
these could live in an "experimental" repository, and then upon
approval from a package repository maintainer goes into the "official"
repository. OpenSSL also guarantees that we don't really have to worry
about how secure the implementation is so long as the application is
otherwise securely designed. Allow users to trust additional CAs,
store those as a preference.
The current infrastructure that uses PackageManager is susceptible to
all kinds of attacks (any sort of 'man in the middle' attack: dns
spoofing, server hacking, etc).
Keep receipts for installed packages, even if we don't write an
uninstaller.
Keep track of dependency versions.. for example, FooBar 2.0 might
require a minimum BarBaz of 1.0 and is tested compatible up to BarBaz
1.5. BarBaz might release a wonderful 1.6 version that breaks some
behavior that FooBar 2.0 or whatever other packages depended on.
Upgrading to BarBaz 1.6 should warn the user that "FooBar 2.0 and
SuperAlice 1.5 are dependent on BarBaz 1.0-1.5, but are not tested to
work with BarBaz 1.6. This upgrade may require upgrades to these
dependencies". Dependency graphs are a lot of fun, but we're all good
programmers here and we can't be lazy all the time.
Package Manager should be able to install distutils-based setup.py
source distributions that a user has on his harddrive or at any
arbitrary URL (i.e. not in the plist) either by dragging the tgz/zip to
PackageManager, picking a folder with a setup.py in it, or picking a
setup.py.
Package Manager should be organized categorically, like PyPI. (i.e.
they should be heavily integrated).
We should test upgrades to Package Manager :)
All of Package Manager's functionality should really be in platform
independent "designed" modules (meaning they don't have to support
other platforms yet, just designed with that intent).
Package Manager should be a responsive application, either by using
nonblocking methods to speak with spawned processes. Threading sucks
in python, let's not try and use it too much.
Speaking more with regard to separating the model and view of Package
Manager, we should think about making the Package Manager GUI speak
with Package Manager over sockets.. imagine managing python
installations for everyone on your LAN (that trusts you by SSH, or
whatever).
my train of thought was distracted by other emails.. I'm sure I'll be
posting more to this thread later :)
-bob
More information about the Pythonmac-SIG
mailing list