[Catalog-sig] Proposal for the bootstrap API
Tarek Ziadé
tarek at ziade.org
Fri Feb 15 13:25:25 CET 2013
On 2/15/13 12:30 PM, Nick Coghlan wrote:
> On Fri, Feb 15, 2013 at 7:28 PM, Tarek Ziadé <tarek at ziade.org> wrote:
>> Looks completely legit to me, unfortunately... So until we catch that fish,
>> damage can already be done.
> When you're already in a (security) hole, the first thing you need to
> do is *stop digging*.
There's a whole field of holes.
>
> We have a handful of projects which need to trusted way to distribute
> a Python script in order to bootstrap installation tools on current
> versions of Python. That's a real problem, and this proposal is a good
> solution for that.
>
> Generalising that to grant the ability to upload arbitrary bootstrap
> scripts to every project for no good reason is making a bad situation
> worse, for zero payoff. So let's not do that. For projects other than
> distribute or pip, the bootstrap process should be:
>
> 1. Bootstrap pip
> 2. pip install project
>
> Or, if the project needs egg support:
>
> 1. Bootstrap distribute
> 2. easy_install project
Anyways: I am withdrawing my proposal - if we're special-casing a few
projects, why bother creating a new API in the first place ?
Let's just host the few existing files at a specific location on
python.org and be done with it.
On my side, as the distribute original maintainer I have this file:
=> http://python-distribute.org/distribute_setup.py
and I have no intent to set-up a certificate for that domain.
If the PSF wants to set up something, I'll happily move the file in that
place and set a redirection,
as long as there's a way for distribute maintainers to automatically
update the file via a scp call.
Now, in my personal opinion, this whole discussion boils down to a trust
issue we'll solve
only by having that "Bootstrap" thing in Python itself.
> Cheers,
> Nick.
>
--
Tarek Ziadé · http://ziade.org · @tarek_ziade
More information about the Catalog-SIG
mailing list