Don't forget that you can also just upload a zip script, at least for 2.6+. I know you still have to support 2.3 On Feb 14, 2013 6:31 PM, "Richard Jones" <rich...@python.org> wrote:
> On 15 February 2013 06:28, Tarek Ziadé <ta...@ziade.org> wrote: > > Some tools (setuptools, distribute, zope, pip) use bootstrap files to get > > installed, > > > > In order to have a more secured installation process, we'd like to be > able > > to push those files on PyPI so people can download them through https > using > > the PSF certificate. > > > > As Phillip Eby noticed, that requires changing this method > > > https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233 > > > > by: > > > > - allowing .py extensions, > > - allowing arbitrary file names when they have the .py extension > > > > Any objection if I provide a pull request for this ? > > I like the idea except: > > 1. Limit it to a file named exactly "bootstrap-<version>.py" where the > version matches the release > 2. Allow it on a whitelist basis as the likelihood of phishing is still > high > 3. Symlink the latest (per current PyPI rules about how to determine > "latest") "bootstrap-<version>.py" to "bootstrap.py" > > The bootstrap.py file would most likely have to be omitted from the > usual files listing mechanisms as they are used to determine > installable release packages. > > Yes, phishing is an issue for regular distributions too, though a > bootstrap URL is more likely to be clicked/copy-pasted than someone > actually typing in "pip install packagename". Yes, there is nothing > stopping someone adding a package "DjangoInstaller" which looks quite > legitimate. The community would hopefully notice quite quickly. > > > Richard > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org > http://mail.python.org/mailman/listinfo/catalog-sig >
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
