On 22 March 2014 09:37, Vinay Sajip <vinay_sa...@yahoo.co.uk> wrote: >> This strategy does not generally try to eliminate arbitrary code >> execution during builds - builds are an inherently arbitrary-code >> process. But once the build has happened most installs should work >> without arbitrary code execution. > > I don't think builds should be a *completely* arbitrary-code process. I > understand well that user-defined code should be accommodated, but IMO this > should be within a declarative framework with well-defined hooks, otherwise > it will ultimately lead to the same problems that setup.py has.
Agreed, but that can be a two step process: 1. Formally decouple the setup.py CLI from the distutils command system 2. Define a more declarative metabuild system, with the setup.py CLI considered a legacy compatibility interface. The reason I think we need to cover step 1 first is because without doing that, I don't believe we're going to understand the existing scope we need to cover for 2. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
