Re: [Catalog-sig] Use user-specific site-packages by default?

On Sun, Feb 10, 2013 at 6:56 PM, Marcus Smith wrote: > For many users, virtualenvs are their "user install", and "sudo" global > installs are pretty rare. So, putting in a lot of work to fix what to many > seems like a rare behavior makes me a little hesitant. But "many users" > isn't all I guess

[Catalog-sig] Use user-specific site-packages by default?

Hello, another pip maintainer here (I think that's 4 of us in here now that I know of). I just joined this list, so couldn't respond to the original email, so just pasted it below. I haven't read all the way though all the messages, so apologize for redundancies. This all sounds reasonable to m

Re: [Catalog-sig] Use user-specific site-packages by default?

Zitat von Terry Reedy : Currently, it similarly (last I knew) requires a explicit license before accepting and distributing code (as opposed to index info) on PyPI. That appears to be a conservative, better safe than sorry, policy recommended by the PSF lawyer. The precise text is in ht

Re: [Catalog-sig] Use user-specific site-packages by default?

On 2/5/2013 5:59 PM, holger krekel wrote: On Tue, Feb 05, 2013 at 15:54 -0500, Terry Reedy wrote: On 2/5/2013 11:35 AM, Lennart Regebro wrote: On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft wrote: Besides the issues with validating that the package We are mirroring is the authentic one there's

Re: [Catalog-sig] Use user-specific site-packages by default?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/05/2013 05:28 AM, Stephen Thorne wrote: > On Tue, Feb 5, 2013 at 10:16 AM, Lennart Regebro > wrote: > >> We do also have at least one Distribute maintainer on the list. For >> Setuptools it would be best if Distribute and Setuptools could be

Re: [Catalog-sig] Use user-specific site-packages by default?

On 6 February 2013 00:09, Donald Stufft wrote: > On Tuesday, February 5, 2013 at 8:06 AM, Lennart Regebro wrote: > > Anyone know which ones? scipy is the largest I know of, at 6-7 MB. > > Someone told me once (Richard maybe?) I think the one mentioned was > one of the GUI toolkits? If there is one

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 05, 2013 at 15:54 -0500, Terry Reedy wrote: > On 2/5/2013 11:35 AM, Lennart Regebro wrote: > >On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft > >wrote: > >>Besides the issues with validating that the package We are mirroring > >>is the authentic one there's also a legal issue. We don't

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 9:54 PM, Terry Reedy wrote: > The last I read (and I cannot find the seemingly hidden page) the author (or > rights-holder) of code must grant PSF something more than just > redistribution rights before uploading it. The same must also certify some > mumbo-jumbo about compli

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 4:02 PM, Terry Reedy wrote: > Why is downloading form > code.google.com (http://code.google.com), for instance, worse than from > pypi.python.org (http://pypi.python.org)? http://prettytable.googlecode.com/files/prettytable-0.6.tar.gz ^ What secures that (totally

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 4:04 PM, Donald Stufft wrote: > On Tuesday, February 5, 2013 at 4:02 PM, Terry Reedy wrote: > > Why is downloading form > > code.google.com (http://code.google.com), for instance, worse than from > > pypi.python.org (http://pypi.python.org)? > > > > http://prettyt

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 4:02 PM, Terry Reedy wrote: > On 2/5/2013 8:02 AM, Jesse Noller wrote: > > > > > > On Feb 5, 2013, at 7:51 AM, Donald Stufft > (mailto:donald.stu...@gmail.com) > > > wrote: > > > > > On Tuesday, February 5, 2013 at 5:16 AM, Lenn

Re: [Catalog-sig] Use user-specific site-packages by default?

On 2/5/2013 8:02 AM, Jesse Noller wrote: On Feb 5, 2013, at 7:51 AM, Donald Stufft mailto:donald.stu...@gmail.com>> wrote: On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote: 1. Packages should only be installed from the given package indexes. No scraping of websites as at least

Re: [Catalog-sig] Use user-specific site-packages by default?

On 2/5/2013 11:35 AM, Lennart Regebro wrote: On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft wrote: Besides the issues with validating that the package We are mirroring is the authentic one there's also a legal issue. We don't know for sure that we have the legal rights to redistribute those file

Re: [Catalog-sig] Use user-specific site-packages by default?

Hello, M.-A. Lemburg egenix.com> writes: > > > > If pip used the user site packages by default (when running as anyone > > other than root), that dangerous UI flow wouldn't happen. Even when > > pip was run outside a virtualenv, it would "just work" from the users > > perspective. It also has t

Re: [Catalog-sig] Use user-specific site-packages by default?

On 02/05/2013 04:58 AM, Nick Coghlan wrote: > So, to clarify, the behaviour I would *like* to see pip exhibiting is > for the default install location to *change*, rather than trying to > install to the system packages directory and then implicitly falling > back to the user directory if that fails

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft wrote: > Besides the issues with validating that the package We are mirroring > is the authentic one there's also a legal issue. We don't know for sure > that we have the legal rights to redistribute those files. When you upload > a file to PyPI you gr

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 10:41 AM, holger krekel wrote: > MITM attacking any of the many world-wide pypi/easy_install downloads > from external sites is much easier than tampering a few one-time > downloads (verified against each other) for pypi.python.org > (http://pypi.python.org)'s >

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 05, 2013 at 10:18 -0500, Donald Stufft wrote: > On Tuesday, February 5, 2013 at 10:14 AM, holger krekel wrote: > > Transporting almost all externally reachable packages to be locally pypi > > served is also kind of a low hanging fruit, although probably slightly > > higher hanging than

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 4:14 PM, holger krekel wrote: >> Sure, and that's another problem, and the low-hanging fruit there is >> using https. > > Transporting almost all externally reachable packages to be locally pypi > served is also kind of a low hanging fruit, although probably slightly > highe

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 10:14 AM, holger krekel wrote: > Transporting almost all externally reachable packages to be locally pypi > served is also kind of a low hanging fruit, although probably slightly > higher hanging than SSL :) The point is that we can have some control over > those pac

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 05, 2013 at 16:07 +0100, Lennart Regebro wrote: > On Tue, Feb 5, 2013 at 3:06 PM, Holger Krekel wrote: > > I wouldn't assume that maintainers are easily reachable. I've contacted at > > least three people of different (>1K downloads) packages which never > > responded. > > We really

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 3:24 PM, Daniel Holth wrote: > As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped > SHA2 hash of the file to be downloaded from an external host would be enough > to detect tampering over time. Hm. The discussion about signatures of files on the PSF l

Re: [Catalog-sig] Use user-specific site-packages by default?

On Wed, Feb 6, 2013 at 1:06 AM, Donald Stufft wrote: > On Tuesday, February 5, 2013 at 9:53 AM, holger krekel wrote: > > Point taken. I guess unless someone sits down and writes a PEP-ish path for > fortification, it's gonna be hard to assess viability and resilience > against the several attack v

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 10:06 AM, Giovanni Bajo wrote: > I do agree; in fact, I'm not the one suggesting to eg. pinning CA > certificates. > > What I'm saying is that it's far more important to fix HTTPS in PyPI than to > verify GPG signatures. So when I hear the argument "if we just ver

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 3:06 PM, Holger Krekel wrote: > I wouldn't assume that maintainers are easily reachable. I've contacted at > least three people of different (>1K downloads) packages which never > responded. We really can't do very much about abandoned packages. > And of course, i didn't

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 9:53 AM, holger krekel wrote: > Point taken. I guess unless someone sits down and writes a PEP-ish path for > fortification, it's gonna be hard to assess viability and resilience > against the several attack vectors which should be sorted/prioritized. > > Or is some

Re: [Catalog-sig] Use user-specific site-packages by default?

Il giorno 05/feb/2013, alle ore 15:57, Nick Coghlan ha scritto: > On Wed, Feb 6, 2013 at 12:46 AM, Giovanni Bajo wrote: >> Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel >> ha scritto: >> >> In the end, however, none of this prevents MITM attacks between a downloader >> and pypi.python.

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 9:54 AM, Jim Fulton wrote: > pip will need to learn to prefer non-final releases. > > PEP426 states this as part of it's requirements so I expect all package tools to move that way, and, at the risk of promising time I don't have, if someone else doesn't make pip

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 2:56 PM, M.-A. Lemburg wrote: > As an example: the files (sources, eggs, installers and prebuilt > binaries, for 3 Python versions, two Unicode build variants, > both 32/64-bit architectures and 4 different platforms) > we host for our egenix-mx-base distribution use up 545M

Re: [Catalog-sig] Use user-specific site-packages by default?

On Wed, Feb 6, 2013 at 12:54 AM, Jim Fulton wrote: > pip will need to learn to prefer non-final releases. > > I was pressed to put buildout alpha and beta releases on a separate site > because of the concern that they'd be installed inadvertently by pip. FWIW, PEP 426 aims to address this by expr

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 05, 2013 at 15:46 +0100, Giovanni Bajo wrote: > Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel > ha scritto: > > > In the end, however, none of this prevents MITM attacks between a > > downloader and pypi.python.org. Or between the uploader and > > pypi.python.org (using bas

Re: [Catalog-sig] Use user-specific site-packages by default?

On Wed, Feb 6, 2013 at 12:46 AM, Giovanni Bajo wrote: > Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel > ha scritto: > > In the end, however, none of this prevents MITM attacks between a downloader > and pypi.python.org. Or between the uploader and pypi.python.org (using > basic auth over

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 2:42 PM, Donald Stufft wrote: > If you break peoples ability to install packages right away they'll refuse > to upgrade. Good point. We want the problems to be fixed, not avoided. One thing just struck me: We have the maintainer emails of mots packages (although they might

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 5:16 AM, Lennart Regebro wrote: ... > 1. Packages should only be installed from the given package indexes. > No scraping of websites as at least easy_install/buildout does, no > downloading from external download links. A deprecation period for > this of a couple of months

Re: [Catalog-sig] Use user-specific site-packages by default?

Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel ha scritto: > In the end, however, none of this prevents MITM attacks between a downloader > and pypi.python.org. Or between the uploader and pypi.python.org (using > basic auth over http often). Signing methods like > https://wiki.archli

Re: [Catalog-sig] Use user-specific site-packages by default?

Il giorno 05/feb/2013, alle ore 15:34, Daniel Holth ha scritto: > On Tue, Feb 5, 2013 at 9:28 AM, Donald Stufft wrote: > On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote: >> As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped >> SHA2 hash of the file to be down

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 9:28 AM, Donald Stufft wrote: > On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote: > > As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped > SHA2 hash of the file to be downloaded from an external host would be > enough to detect tampering ove

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 11:55 PM, Jeroen Dekkers wrote: > At Tue, 5 Feb 2013 11:36:46 +1000, > Nick Coghlan wrote: >> Something that caught my attention in the recent security discussions >> is the observation that one of the most common insecure practices in >> the Python community is to run "sudo

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote: > As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped > SHA2 hash of the file to be downloaded from an external host would be enough > to detect tampering over time. You could do this, still lowers the overall avai

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 9:05 AM, M.-A. Lemburg wrote: > Hmm, packages aren't validated on PyPI either. You'd need an appstore > team for that :-) > > Note that file storage itself can be insecure without any problem. > You only have to make sure that the file's contents of the downloaded >

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 9:06 AM, Holger Krekel wrote: > > On Tue, Feb 5, 2013 at 2:13 PM, Lennart Regebro wrote: > >> On Tue, Feb 5, 2013 at 2:02 PM, Holger Krekel >> wrote: >> > Dropping the crawling over external pages needs _much_ more than just a >> few >> > months deprecation warnings, rathe

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 2:13 PM, Lennart Regebro wrote: > On Tue, Feb 5, 2013 at 2:02 PM, Holger Krekel > wrote: > > Dropping the crawling over external pages needs _much_ more than just a > few > > months deprecation warnings, rather years. There are many packages out > > there, and it would b

Re: [Catalog-sig] Use user-specific site-packages by default?

On 05.02.2013 14:18, Donald Stufft wrote: > On Tuesday, February 5, 2013 at 8:13 AM, Lennart Regebro wrote: >> That will mean that a man in the middle-attack might poison PyPI's >> cache. I don't think that's a feasible path forward. >> >> Packages does not need to be "cached", as they are not supp

Re: [Catalog-sig] Use user-specific site-packages by default?

On 05.02.2013 14:06, Lennart Regebro wrote: > On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft wrote: >> PyPI will need to change for this to happen realistically if I recall. There >> is a hard limit on how large of a distribution can be uploaded to PyPI >> and there are, if I recall, valid distribu

Re: [Catalog-sig] Use user-specific site-packages by default?

At Tue, 5 Feb 2013 11:36:46 +1000, Nick Coghlan wrote: > Something that caught my attention in the recent security discussions > is the observation that one of the most common insecure practices in > the Python community is to run "sudo pip" with unsigned packages > (sometimes on untrusted networks

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 8:34 AM, Lennart Regebro wrote: > On Tue, Feb 5, 2013 at 2:18 PM, Donald Stufft (mailto:donald.stu...@gmail.com)> wrote: > > A longer depreciation wouldn't be a bad thing merely because a lot > > of people depend on this feature without even realizing it. Crate has

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 2:18 PM, Donald Stufft wrote: > A longer depreciation wouldn't be a bad thing merely because a lot > of people depend on this feature without even realizing it. Crate has > an index you can use that removes all external urls to test your own > projects on. --index-url=https:

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 8:13 AM, Lennart Regebro wrote: > On Tue, Feb 5, 2013 at 2:02 PM, Holger Krekel (mailto:holger.kre...@gmail.com)> wrote: > > Dropping the crawling over external pages needs _much_ more than just a few > > months deprecation warnings, rather years. There are many pac

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 2:02 PM, Holger Krekel wrote: > Dropping the crawling over external pages needs _much_ more than just a few > months deprecation warnings, rather years. There are many packages out > there, and it would break people's installations. No it won't. Nothing gets uninstalled.

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 8:06 AM, Lennart Regebro wrote: > Anyone know which ones? scipy is the largest I know of, at 6-7 MB. Someone told me once (Richard maybe?) I think the one mentioned was one of the GUI toolkits? If there is one I'm sure there are others so if that is a direction tha

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 2:05 PM, Jesse Noller wrote: > > > On Feb 5, 2013, at 8:02 AM, Holger Krekel wrote: > > On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft wrote: > >> On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote: >> >> 1. Packages should only be installed from the given pac

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft wrote: > PyPI will need to change for this to happen realistically if I recall. There > is a hard limit on how large of a distribution can be uploaded to PyPI > and there are, if I recall, valid distributions which are larger than that. Anyone know wh

Re: [Catalog-sig] Use user-specific site-packages by default?

On Feb 5, 2013, at 8:02 AM, Holger Krekel wrote: > On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft wrote: >> On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote: >>> 1. Packages should only be installed from the given package indexes. >>> No scraping of websites as at least easy_insta

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft wrote: > On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote: > > 1. Packages should only be installed from the given package indexes. > No scraping of websites as at least easy_install/buildout does, no > downloading from external downloa

Re: [Catalog-sig] Use user-specific site-packages by default?

On Feb 5, 2013, at 7:51 AM, Donald Stufft wrote: > On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote: >> 1. Packages should only be installed from the given package indexes. >> No scraping of websites as at least easy_install/buildout does, no >> downloading from external download

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote: > 1. Packages should only be installed from the given package indexes. > No scraping of websites as at least easy_install/buildout does, no > downloading from external download links. A deprecation period for > this of a couple of mont

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 7:57 PM, Giovanni Bajo wrote: > One meta-question: does this mailing-list have any "authority" over pip? Are > there any pip maintainers here? Because I see that pip development being done > on different channels, so I was wondering what is the workflow to discuss > such

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 10:16 AM, Lennart Regebro wrote: > We do also have at least one Distribute maintainer on the list. For > Setuptools it would be best if Distribute and Setuptools could be > merged. > +1 on this. On #python we daily get people asking about bugs in setuptools, and they're ge

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 10:57 AM, Giovanni Bajo wrote: > One meta-question: does this mailing-list have any "authority" over pip? Nope. And none over Distribute/Setuptools either. > Are there any pip maintainers here? Yes, at least one. But the more the merrier as they may have useful insights

Re: [Catalog-sig] Use user-specific site-packages by default?

Il giorno 05/feb/2013, alle ore 02:36, Nick Coghlan ha scritto: > Something that caught my attention in the recent security discussions > is the observation that one of the most common insecure practices in > the Python community is to run "sudo pip" with unsigned packages > (sometimes on untrus

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 10:19 AM, Lennart Regebro wrote: > On Tue, Feb 5, 2013 at 9:11 AM, M.-A. Lemburg wrote: > > Looks like a slippery road if you try to make pip guess > > what the right installation dir should be, e.g. by trying > > to detect that it's running in a virtualenv, the Python3 >

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 9:11 AM, M.-A. Lemburg wrote: > The solution Nick proposed also has another issue: it would > install packages meant for a virtualenv in the user's site > packages dir (outside the virtualenv)... "If pip used the user > site packages by default (when running as anyone other

Re: [Catalog-sig] Use user-specific site-packages by default?

On 05.02.2013 09:02, Lennart Regebro wrote: > On Tue, Feb 5, 2013 at 8:42 AM, M.-A. Lemburg wrote: >> On 05.02.2013 02:36, Nick Coghlan wrote: >>> Something that caught my attention in the recent security discussions >>> is the observation that one of the most common insecure practices in >>> the

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 8:42 AM, M.-A. Lemburg wrote: > On 05.02.2013 02:36, Nick Coghlan wrote: >> Something that caught my attention in the recent security discussions >> is the observation that one of the most common insecure practices in >> the Python community is to run "sudo pip" with unsigne

Re: [Catalog-sig] Use user-specific site-packages by default?

On 05.02.2013 02:36, Nick Coghlan wrote: > Something that caught my attention in the recent security discussions > is the observation that one of the most common insecure practices in > the Python community is to run "sudo pip" with unsigned packages > (sometimes on untrusted networks). > > To my

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 3:20 PM, Yuval Greenfield wrote: > Excellent idea. > > I've been using "sudo pip install" since forever for the exact reason you > mention. I don't even know how to install anything with pip and no sudo. If you're not inside a virtualenv, then "pip install --user " will ins

Re: [Catalog-sig] Use user-specific site-packages by default?

On Tue, Feb 5, 2013 at 3:36 AM, Nick Coghlan wrote: > Something that caught my attention in the recent security discussions > is the observation that one of the most common insecure practices in > the Python community is to run "sudo pip" with unsigned packages > (sometimes on untrusted networks)

Re: [Catalog-sig] Use user-specific site-packages by default?

On 5 February 2013 13:45, Carl Meyer wrote: > On 02/04/2013 07:42 PM, Donald Stufft wrote: >> I think the biggest problem with this idea is going to be backwards >> compatibility. It's a good idea but it might need to be done as >> a "if we don't have permissions to write to the site-packages dire

Re: [Catalog-sig] Use user-specific site-packages by default?

On 02/04/2013 07:42 PM, Donald Stufft wrote: > I think the biggest problem with this idea is going to be backwards > compatibility. It's a good idea but it might need to be done as > a "if we don't have permissions to write to the site-packages directory > fail with a good error message and recomme

Re: [Catalog-sig] Use user-specific site-packages by default?

On Monday, February 4, 2013 at 9:40 PM, Richard Jones wrote: > On 5 February 2013 12:36, Nick Coghlan (mailto:ncogh...@gmail.com)> wrote: > > [snip "sudo pip" common & bad] > > > > If pip used the user site packages by default (when running as anyone > > other than root), that dangerous UI flow w

Re: [Catalog-sig] Use user-specific site-packages by default?

On 5 February 2013 12:36, Nick Coghlan wrote: > [snip "sudo pip" common & bad] > > If pip used the user site packages by default (when running as anyone > other than root), that dangerous UI flow wouldn't happen. > > Thoughts? I think it's a great idea. Perhaps also having pip warn about being r

[Catalog-sig] Use user-specific site-packages by default?

Something that caught my attention in the recent security discussions is the observation that one of the most common insecure practices in the Python community is to run "sudo pip" with unsigned packages (sometimes on untrusted networks). To my mind, this is a natural reaction to the user experien