[Catalog-sig] Allowing the upload of .py files at PyPI
Richard Jones
richard at python.org
Fri Feb 15 22:41:01 CET 2013
On 16 February 2013 07:16, PJ Eby <pje at telecommunity.com> wrote:
> On Thu, Feb 14, 2013 at 6:31 PM, Richard Jones <richard at python.org> wrote:
>> The bootstrap.py file would most likely have to be omitted from the
>> usual files listing mechanisms as they are used to determine
>> installable release packages.
>
> I would feel more comfortable with the proposed mechanism if it
> allowed the .py files to retain their original names. There is a ton
> of collateral out there referring people to ez_setup.py, and while I
> can (and will) redirect the original URL to wherever it ends up, it'd
> be less confusing to keep the name.
>
> Among other things, it would help prevent the sort of phishing attack
> where somebody represents *their* ez_setup.py script as the real deal,
> while saying that setuptools/bootstrap.py is an obvious forgery, since
> it's not named ez_setup.py. ;-)
Yes, on reflection this makes sense. It also makes sense to not have a
bunch of anonymous "bootstrap-<version>.py" files lying around.
Embedding the project name in the bootstrap filename should be
encouraged where there isn't already an established name like ez_setup
Richard
More information about the Catalog-SIG
mailing list