At 07:56 PM 10/23/2005 +0200, Martin v. Löwis wrote: >Phillip J. Eby wrote: >>In this case, that person could simply distribute everything from their >>site, and the user can simply require all the downloads to come from that >>site using easy_install's --allow-hosts option. For example, since >>TurboGears distributes all its dependencies, I could trust only >>turbogears.org. Or, I could choose to trust anything from >>cheeseshop.python.org. >>In other words, host-based trust seems a lot easier to implement and >>almost as useful. > >IMO, common sense is just as useful: people know what software to >install, so go right ahead and do it. > >Host-based trust really adds very little here: even if I like the >software, somebody could have taken over the server and replaced >it with a trojan. In that scenario, neither host-based trust nor >common sense would help; I can't think of a scenario where host-based >trust would help beyond common sense.
It doesn't - except for the fact that easy_install automatically locates and downloads dependencies using information on PyPI. So --allow-hosts can be used to reign in its enthusiasm a bit. :) It's also useful to set up a machine to only download software from a designated location by default, or to prevent automatic downloading altogether (by allowing only localhost). _______________________________________________ Catalog-sig mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
