On 08.05.2014 15:58, Donald Stufft wrote: > > On May 8, 2014, at 9:39 AM, M.-A. Lemburg <m...@egenix.com> wrote: > >> Well, to be fair and leaving aside uptime concerns and the general >> desire to always install packages from some server instead of >> a safe and trusted local directory (probably too obvious ;-), >> it would certainly be possible to add support for >> trusted externally hosted packages. > > There is support for trusted externally hosted packages, you put the URL in > PyPI and include a hash in the fragment like so: > > http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56 > > The hash can be md5 or any of the sha-2 family. > > Now this does not mean that ``pip install cdecimal`` will automatically > install > this, because whether or not you're willing to install from servers other than > PyPI[1] is a policy decision for the end user of pip.
Hmm, if you call that feature "trusted externally hosted packages", pip should really do trust them, right ? ;-) I can understand that pip defaults to not trusting URLs which don't meet the above feature requirements, but not that it still warns about unreliable externally hosted packages even if the above feature is used. At the moment, pip will refuse to use an externally hosted files even if the package author uses the above hashed URLs; even with HTTPS and proper SSL certificate chain. > The only real contention > point there is whether installing from other servers should be on or off by > default. PEP438 selected off by default, and I agree with that decision. > Installing externally hosted files, which are able to be safely downloaded[2], > was a surprising behavior to *everyone* I've talked to who hadn't already > discovered that pip/easy_install did that. For the people it wasn't surprising > too, they said it was surprising when they had originally discovered it[3]. > > [1] To be specific, other than the configured index(es), which happens to > default to PyPI. > [2] For the definition of safe that PyPI/pip operate under, which is that the > author of a package is assumed to be trusted by the person electing to > download their package. > [3] I suspect people who were around when PyPI *couldn't* host files and were > only an index would be the exception to this. > >> >> However, for some reason there's a strong resistance against >> doing this, which I frankly don't understand. >> >> I agree with Stefan that the warning message wording is less >> than ideal. You'd normally call such blanket statements FUD, >> esp. since there are plenty external hosting services which >> are reliable and safe to use. >> > > I don't think the warning is FUD, and it doesn't mention anything security > related at all. The exact text of the warning is in the subject of the email > here: > > cdecimal an externally hosted file and may be unreliable > > Which is true as far as I can tell, it is externally hosted, and it may be > unreliable[1]. If there is a better wording for that I’m happy to have it and > will gladly commit it myself to pip. The current version of pip writes: Downloading/unpacking pkg Could not find any downloads that satisfy the requirement pkg Some externally hosted files were ignored (use --allow-external pkg to allow). Cleaning up... No distributions at all found for pkg This wording if fine, IMO. The wording Stefan quoted gets generated for dependencies. This should probably be changed to the same wording (including the reference to the right command line option to use). > [1] In my experience dealing with complaints of pip's users, one of their big > ones was that some dependency they use was, typically unknown to them, > hosted externally and they found out it was hosted externally because the > server it was hosted on went down. I think that's a general problem, not one of some server being down: users put too much trust into the dependencies of packages they use. Regardless of how safe/reliable we make things w/r to file hosting, this problem does not go away. It's just too easy for people to get tricked into trusting packages they don't even know about. Nothing we'll ever change, though. People are lazy and easily drop all such concerns for ease of use :-( -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 08 2014) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
