On Tue, Mar 12, 2013 at 7:38 AM, holger krekel <hol...@merlinux.eu> wrote: > In addition, maintainers of installation tools are asked to release > two updates. The first one shall provide clear warnings if external > crawling needs to happen,
A clarification here: "needs to happen" is not well-specified. An installer tasked with finding the latest or best-matching version of a package must currently *always* crawl. So the warning would be always. The strategy I originally chose for making this change in easy_install is to warn once at the beginning that --allow-hosts has not been set, and thus packages might be downloaded from anywhere on the internet. I've since become uncertain that this change is actually workable in the short term, since until most of the packages are actually moved onto PyPI, a lot of installs will fail if somebody changes their configuration to be more secure. So I'm thinking the warning needs to be deferred until at least the more popular packages have moved to PyPI. > Now, if there is some agreement, i can submit this PEP officially tomorrow, > and given agreement/refinments from the Pycon folks and the likes of > Richard, we may be able to get going very shortly after Pycon. I'd like to suggest that the PEP should be explicit that no other changes to the /simple generation algorithm are being made, just the removal or alteration of rel="" attributes. i.e., it will still be possible -- at least in the near term -- for projects to include explicit download links to files made available elsewhere. Changing that situation is more controversial and will require wider community participation than has occurred to date. It might also be good to suggest that authors of PyPI clones plan their own phase-out of rel="" attributes. _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
