On Mon, Oct 13, 2014 at 12:00 +0100, Paul Moore wrote: > On 13 October 2014 11:40, holger krekel <[email protected]> wrote: > > and I just noted that the very Python guide on packaging is advertising > > using plain --extra-index-url for private packages as well: > > > > http://docs.python-guide.org/en/latest/shipping/packaging/#personal-pypi > > I can see your point here (I'm not sure I agree with it, but that's a > separate issue).
Sorry but what is there to agree or discuss? If recommending --extra-index-url for private packages does not come with a big fat warning that you need to publically register the name with PyPI, it exposes users to direct compromise of their machine, plain and simple. best, holger > If you want to propose a patch for the packaging user > guide, we can discuss it there. > > > and, besides the need for fixing the various discussions/pages, i think > > that PEP470 should contribute to a more careful discussion of the feature > > (it's fine for the actual external linking to existing pypi projects > > usecase, mind you). > > So if I read you correctly, you're saying that the PEP 470 usage of > --extra-index-url is fine. That's good. > > I don't think it's the place of PEP 470 to discuss *other* uses of > --extra-index-url. Having an example in there seemed fine to me, but > if it brings up issues unrelated to the PEP then I think it's a > distraction and should be removed. And I believe that's what has > happened. So again, that's good. > > > And i guess pip should have a warning note in > > the option help to help educating users. > > Again, not for the PEP, but feel free to raise a PR for pip (but once > again, I reserve the right to disagree with that PR when it's raised > :-)). > > Paul > _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
