On May 15, 2013, at 3:22 PM, Daniel Holth <dho...@gmail.com> wrote: > On Wed, May 15, 2013 at 2:33 PM, Donald Stufft <don...@stufft.io> wrote: >> >> On May 15, 2013, at 2:10 PM, Daniel Holth <dho...@gmail.com> wrote: >> >>> On Wed, May 15, 2013 at 1:12 PM, Donald Stufft <don...@stufft.io> wrote: >>>> It also has a problem with setuptools, distribute, and PyPI and the way >>>> they do normalization. They all already assume that projects will >>>> generally have alpha numeric names and you can take any non alpha numeric >>>> string of characters and replace it with a "-". So in order to properly >>>> support unicode you'd have to remove all the existing versions of >>>> setuptools from production use, and you'd need to update PyPI to >>>> understand how to lower case unicode. >>>> >>>> Because I registered The snowman package, you'll find it's impossible to >>>> register any other pure unicode package of any length. >>> >>> If PyPI has a proper i18n and Unicode implementation first, and then >>> the tools are updated (perhaps distlib is an easier place to add >>> Unicode than setuptools), then pypi will contain: >>> >>> 1. mostly ASCII projects that everyone can install >>> >>> 2. some Unicode projects uploaded by jerks >>> >>> 3. some worthwhile Unicode-named projects that might not have been >>> uploaded before >>> >>> 4. some Unicode-named packages that you have to use even though you >>> don't like the name? >>> >>> It's true that for a long time ASCII project names will be more >>> convenient no matter what PyPI does, but it can be the publisher's >>> choice rather than being cut off at the head. I don't think it's a >>> tremendous amount of work to make Unicode work properly just for those >>> who want it. >> >> The problem here isn't just that the old systems won't support it. It's that >> they both won't support it and if someone does attempt to use a unicode >> package they can get an entirely different package then they expected to >> get. The failure case is a massive security risk. > > Don't expose them in the simple API?
So then they are useless? It seems a lot of gotchas and gymnastics just to be academically nicer to people whose languages don't fit into ascii alpha numerics but it's only a superficial nicer since they won't actually be able to do anything useful with it. > > If this is PyPI's big security issue then we are doing awesome. This is some seriously jacked thinking and leads to nothing ever becoming secure because there's always a reason not to implement X security change because of all the other security changes needed. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
