On 2/15/13 12:30 PM, Nick Coghlan wrote:
On Fri, Feb 15, 2013 at 7:28 PM, Tarek Ziadé <ta...@ziade.org> wrote:
Looks completely legit to me, unfortunately... So until we catch that fish,
damage can already be done.
When you're already in a (security) hole, the first thing you need to
do is *stop digging*.
There's a whole field of holes.
We have a handful of projects which need to trusted way to distribute
a Python script in order to bootstrap installation tools on current
versions of Python. That's a real problem, and this proposal is a good
solution for that.
Generalising that to grant the ability to upload arbitrary bootstrap
scripts to every project for no good reason is making a bad situation
worse, for zero payoff. So let's not do that. For projects other than
distribute or pip, the bootstrap process should be:
1. Bootstrap pip
2. pip install project
Or, if the project needs egg support:
1. Bootstrap distribute
2. easy_install project
Anyways: I am withdrawing my proposal - if we're special-casing a few
projects, why bother creating a new API in the first place ?
Let's just host the few existing files at a specific location on
python.org and be done with it.
On my side, as the distribute original maintainer I have this file:
=> http://python-distribute.org/distribute_setup.py
and I have no intent to set-up a certificate for that domain.
If the PSF wants to set up something, I'll happily move the file in that
place and set a redirection,
as long as there's a way for distribute maintainers to automatically
update the file via a scp call.
Now, in my personal opinion, this whole discussion boils down to a trust
issue we'll solve
only by having that "Bootstrap" thing in Python itself.
Cheers,
Nick.
--
Tarek Ziadé · http://ziade.org · @tarek_ziade
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
