[Distutils] Self-contained boostrap scripts [was: Re: A new, experimental packaging tool: distil]

[Philippe Ombredanne]

On Thu, Mar 28, 2013 at 2:33 PM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:
>> From: Philippe Ombredanne <pombredanne at nexb.com>
>> On the other hand, I find it somewhat discomforting as an emerging
>> best way to package and distribute self-contained bootstrap scripts.

>> Virtualenv does it, distil is doing it now, pip tried some of it here
>> https://github.com/pypa/pip/blob/develop/contrib/get-pip.py
>> In contrast, buildout, distribute and setuptools bootstrap scripts do
>> not embed their dependencies and either try to get them satisfied
>> locally or attempt to download the requirements.
>
> And all this time, they would have been vulnerable to a MITM attack
> on PyPI because PyPI didn't support verifiable SSL connections
> until recently. It's good to be cautious, but Bruce Schneier has
> plenty of stories about caution directed in the wrong directions.

I am not so worried about security... I brought the point here because
this is the packaging and distribution list, and I see this as an
emerging pattern for the packaging and distribution of bootstrap
scripts and this is something that has not been discussed much before.

Conceptually I find these no different from setup.py scripts, and
these have been mostly normalized (or at the minimum have a
conventional name and a conventional if not specified interface.)

Yet today, for the all important core package and environment
management tools, we have bootstrap scripts each with different
interfaces and different approaches to self containment or no
containment.

I feel this is worth discussing as bootstrapping is where everything begins :)

-- 
Philippe Ombredanne

+1 650 799 0949 | pombredanne at nexB.com
DejaCode Enterprise at http://www.dejacode.com
nexB Inc. at http://www.nexb.com