On Fri, Feb 15, 2013 at 8:10 AM, Nick Coghlan <ncogh...@gmail.com> wrote: > On Fri, Feb 15, 2013 at 10:25 PM, Tarek Ziadé <ta...@ziade.org> wrote: >> Anyways: I am withdrawing my proposal - if we're special-casing a few >> projects, why bother creating a new API in the first place ? > > That's why I asked how frequently the bootstrap files needed updates > earlier - if they're fairly static, then simply asking for a copy to > be hosted on PyPI and documenting that as the canonical location is by > far the most straightforward solution. > > The only reason for an API would be if the projects wanted to be able > to update them directly without asking the PyPI admins to upload a new > version (and, as you note, that could potentially be handled via > ssh/scp config rather than via the PyPI web app).
Also, it may make sense to get rid of the bootstrap files in the long run anyway. ez_setup started the whole business with only one real function: to solve the chicken-and-egg problem of allowing developers to make use of dependencies without first needing their users to install setuptools. Is that a problem that actually needs solving any more, almost a decade later? (Apart from that use, the only thing it's good for is helping 64-bit Windows users install the right version of setuptools in the right place, and there will probably be a better fix for that eventually as well.) Buildout actually has a better reason than any of the other projects to keep a bootstrap file around, and that's that it's targeted at a general sysadmin audience not steeped in Python packaging lore. So having a bootstrap makes a lot of sense... except that there's no reason it needs to live on PyPI, per se. Zope corp. undoubtedly has secure hosting and certs of their own, and the very thing that makes them need a bootstrap script means that the people who need it don't really care *what* secure source they pull it from. It's possible I'm misunderstanding some things there, and I hope Jim will chime in with corrections if applicable. But I'm thinking maybe instead of working out PyPI hosting for these things, we should just get rid of them or host them elsewhere. (I have at least one domain w/a trusted cert that could be used, for example.) (One additional point, though: for ez_setup.py's main use case, it's currently distributed by way of anonymous SVN, and zillions of source packages already hosted on PyPI. Most of the time, the copy somebody uses *already* came from somewhere other than the primary source. Factor *that* into the phishing scenarios for a bit...) _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
