At 06:09 PM 8/11/2005 -0500, Ian Bicking wrote: >I think from a make-people-feel-comfortable perspective, it might be >better if ez_setup informed the user of what it's doing (installing a >build dependency) and get a confirmation. For instance, it can be >disconcerting to do something that shouldn't require any privilege (e.g., >setup.py --help-commands) and end up triggering something that does >require privilege (global installation of a package). Just an "I'm going >to do this; OK?" question would be reassuring.
But then, how do you do that in such a way that an automated installation process (other than EasyInstall) won't hang? I suppose I could have the download function display a message followed by a countdown timer that would allow you to abort by hitting ^C. That way, an unattended process or lazy user (or slow reader :) could just proceed without needing to do anything. The only problem I see with that is that drawing the user's attention to something that 99% of the time is going to be okay seems like a bad idea. It's like "WARNING: I'm about to do something exactly like what you'd do yourself by hand!" I'll have to find a suitable way to spin the message, something like: """Hello! ez_setup has detected that you don't have a recent-enough version of setuptools on your computer to be able to run this script. I'll be happy to download and install it for you (along with any other packages this script might need), but some firewalls may not allow programs like me to download software from the Internet. So I'll pause for a few seconds before starting the first download, to give you a chance to read this message, so you'll know you need to grant me access if something pops up asking if I should be allowed to connect to python.org. Thanks! Beginning download in 20... 19... 18... """ Hopefully, something like that could be made friendly enough so that most people just ignore it. > One scary one is if someone uses a Wiki page as a package index, and > other people reference that without understanding the (considerable) > danger. I *almost* did that myself, then I thought again and realized > what a bad idea it would be. That's why the best thing is to publish to PyPI if you can; source checkout links can always go in URLs embedded in 'long_description', and easy_install will still find them. >But other layers of consistency are possible. For instance, for a package >to be "trusted" by PyPI (on some level), maybe an email confirmation of >substantive package updates would be required (like new releases, new >versions of files, etc). This is just another consistency check -- make >sure that the person on the other end of the registered email address >approves what the person with the login account is doing (of course >usually those are the same person). At the very least, sending them emails about stuff that's happening would ensure they find out their account has been hacked. Assuming the address is still valid, of course, which isn't always the case. :( _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
