On Thu, Jan 9, 2020 at 3:29 PM Paul Moore <p.f.mo...@gmail.com> wrote: >
Thanks Mr. Paul Moore, co-author of PEP441 for contributing to the discussion. Enchanté, as you say in French 🎉 > But you haven't explained what problem adding metadata would solve. Writing here at the same time for more points below asking for what problem adding metadata solves. Well to begin with, the Python community still views zip archives as mere zip archives. In the Python Be Bold - Draft thread on the Python list i listed different ways in which zip archives are being used in ways that are more than just archives. I have taken Java as an example (you can refer to the draft here <https://mail.python.org/pipermail/python-list/2020-January/895056.html>) as Python shares some similarities in having a VM, having bytecodes and being labelled as a cross-platform language. The draft shows different ways in which we can improve a mere Zip archive to the level where more ambitious projects might be built. I have also described the signing mechanism of .jars etc Having metadata in zip archives is one baby step on using archives as apps. The current thread being a spinoff of this <https://mail.python.org/pipermail/python-list/2020-January/894987.html> and that <https://mail.python.org/pipermail/python-list/2020-January/895056.html> thread, it is recommended that before coming to this thread, people go through these threads, see the conclusions reached on some aspects. Reading this draft by itself raises many whys which i'll just copy paste to answer > You can already bundle (pure Python) dependencies, just use pip > install --target to place them in a directory alongside your > application, add some code in your app to set sys.path, and bundle the > whole lot in a zipapp. Many people do this already. So if what you're > proposing is to make that process easier, then great, but you're not > explaining things very well, <<Many people do this already>> That's precisely it. Many people do it which shows that there's a need, many tools have been built but this proposal proposes to make dependencies bundling 'official', enabling python to ease the process. As i said earlier: <<there are prototypes with the above features which work.>> > And yet again, you haven't explained how these additional features > will solve problems that users are actually encountering. Sure, it's > easy to say "security will avoid problems with malicious code" - but > what specific attacks are people finding to be an issue, and how will > your proposed solution address them? (You say you're still > investigating signing - I'd suggest dropping that part of your > proposal for now if you don't know how it will work yet). Referring to your below part of "that's your mistake" i think yes it's a good idea > There's discussion because no-one can work out what problem you're > trying to solve, not because your proposal includes a number of > aspects. The discussion has been over signing and cross-platforming > Maybe that was a mistake :-) Start small, and then build on your > success once the first part is done. Ok will do!
_______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/KRFDTUH547R5ZZF2VBQGFDQ7SH5UJ3KJ/ Code of Conduct: http://python.org/psf/codeofconduct/