> On Oct 8, 2014, at 2:35 PM, M.-A. Lemburg wrote:
>
> On 08.10.2014 16:04, Donald Stufft wrote:
>>
>>> I'd also like to request that you take Holger's concerns more
>>> seriously, perhaps add him as PEP author and let him participate
>>> in clarifying it (if he still feels like investing time
> On Oct 8, 2014, at 2:55 PM, Paul Moore wrote:
>
> There's a tension here in that
> PEPs have to speak in terms of "installers" and not target pip
> specifically, as it's important to us that pip competes on an equal
> footing with other installers, and we don't act as if we have a
> privileged
On 8 October 2014 19:35, M.-A. Lemburg wrote:
> On 08.10.2014 16:04, Donald Stufft wrote:
>>
>>> I'd also like to request that you take Holger's concerns more
>>> seriously, perhaps add him as PEP author and let him participate
>>> in clarifying it (if he still feels like investing time in this).
On 8 October 2014 19:09, M.-A. Lemburg wrote:
> Thanks for your clarification, Paul.
In the interest of making sure everyone is understanding each other,
I'm going to follow up on this. I think there are some perceptions
that differ slightly, and some concerns that people have, that make
this a s
On 08.10.2014 16:04, Donald Stufft wrote:
>
>> I'd also like to request that you take Holger's concerns more
>> seriously, perhaps add him as PEP author and let him participate
>> in clarifying it (if he still feels like investing time in this).
>
> I take all concerns and feedback seriously else
On 08.10.2014 15:15, Paul Moore wrote:
> On 8 October 2014 13:55, M.-A. Lemburg wrote:
>> If pip decides to go with a strategy that ignores this, I think we
>> have a problem. The core developers put trust into pip when allowing
>> it to (effectively) get distributed with Python and making it the
On 08.10.2014 15:59, Nick Coghlan wrote:
> On 8 Oct 2014 23:40, "M.-A. Lemburg" wrote:
>> The intention of PEP 435 was to enable pip to evolve independent
>> of the Python release process, which is a good thing.
>>
>> However, your comment that "We are an external project and we are not
>> bound b
I have a suggestion. Holger obviously feels he has something very
important to say, and a lot of e-mails have already been sent back and
forth. Is there some way that Donald, Nick, and Holger could perhaps have
a conference call or hangout of some sort just for the purpose of
understanding and/or
> On Oct 8, 2014, at 9:40 AM, M.-A. Lemburg wrote:
>
> On 08.10.2014 15:05, Donald Stufft wrote:
>>
>>> On Oct 8, 2014, at 8:55 AM, M.-A. Lemburg wrote:
>>>
>>> On 08.10.2014 14:30, Nick Coghlan wrote:
On 8 October 2014 22:22, Donald Stufft wrote:
>
>> On Oct 8, 2014, at 8:17 A
On 8 Oct 2014 23:40, "M.-A. Lemburg" wrote:
>
> The intention of PEP 435 was to enable pip to evolve independent
> of the Python release process, which is a good thing.
>
> However, your comment that "We are an external project and we are not
> bound by the PEP process." doesn't really pan out in
On 08.10.2014 15:05, Donald Stufft wrote:
>
>> On Oct 8, 2014, at 8:55 AM, M.-A. Lemburg wrote:
>>
>> On 08.10.2014 14:30, Nick Coghlan wrote:
>>> On 8 October 2014 22:22, Donald Stufft wrote:
> On Oct 8, 2014, at 8:17 AM, holger krekel wrote:
>
> Also, i am worried on principl
On 8 October 2014 13:59, holger krekel wrote:
> But if you and Nick as authors refuse my suggestions (mainly:
> backward compat, more careful reasoning about multi-index ops) then i am
> currently clearly -1 on the PEP because i think it does more harm than good.
Holger, there's been a lot said i
On 8 October 2014 13:55, M.-A. Lemburg wrote:
> If pip decides to go with a strategy that ignores this, I think we
> have a problem. The core developers put trust into pip when allowing
> it to (effectively) get distributed with Python and making it the
> default Python packaging manager. Please u
> On Oct 8, 2014, at 8:59 AM, holger krekel wrote:
>
> On Wed, Oct 08, 2014 at 08:47 -0400, Donald Stufft wrote:
>>> On Oct 8, 2014, at 8:43 AM, holger krekel wrote:
>>>
>>> On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
On 8 October 2014 21:40, holger krekel wrote:
>
> On Oct 8, 2014, at 8:55 AM, M.-A. Lemburg wrote:
>
> On 08.10.2014 14:30, Nick Coghlan wrote:
>> On 8 October 2014 22:22, Donald Stufft wrote:
>>>
On Oct 8, 2014, at 8:17 AM, holger krekel wrote:
Also, i am worried on principle grounds if pip maintainers are putting
the
On Wed, Oct 08, 2014 at 08:47 -0400, Donald Stufft wrote:
> > On Oct 8, 2014, at 8:43 AM, holger krekel wrote:
> >
> > On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
> >> On 8 October 2014 21:40, holger krekel wrote:
> >>>
> >>> No, i am not concerned about the extra index supplying w
On 08.10.2014 14:30, Nick Coghlan wrote:
> On 8 October 2014 22:22, Donald Stufft wrote:
>>
>>> On Oct 8, 2014, at 8:17 AM, holger krekel wrote:
>>>
>>> Also, i am worried on principle grounds if pip maintainers are putting
>>> themselves outside PEP reach, yet pip is distributed along with Pytho
> On Oct 8, 2014, at 8:43 AM, holger krekel wrote:
>
> On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
>> On 8 October 2014 21:40, holger krekel wrote:
>>>
>>> No, i am not concerned about the extra index supplying whatever packages.
>>> After all, the users specifies the option and s
On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
> On 8 October 2014 21:40, holger krekel wrote:
> >
> > No, i am not concerned about the extra index supplying whatever packages.
> > After all, the users specifies the option and should trust that index.
> >
> > I am concerned about the fac
> On Oct 8, 2014, at 8:24 AM, Nick Coghlan wrote:
>
> On 8 October 2014 22:17, holger krekel wrote:
>> On Wed, Oct 08, 2014 at 13:05 +0100, Paul Moore wrote:
>>> On 8 October 2014 12:40, holger krekel wrote:
I am concerned about the fact that public PyPI links are merged in even
for
On 8 October 2014 22:22, Donald Stufft wrote:
>
>> On Oct 8, 2014, at 8:17 AM, holger krekel wrote:
>>
>> Also, i am worried on principle grounds if pip maintainers are putting
>> themselves outside PEP reach, yet pip is distributed along with Python.
>
> We’re not “putting ourselves outside of P
On 8 October 2014 22:17, holger krekel wrote:
> On Wed, Oct 08, 2014 at 13:05 +0100, Paul Moore wrote:
>> On 8 October 2014 12:40, holger krekel wrote:
>> > I am concerned about the fact that public PyPI links are merged in even
>> > for my private packages residing on the extra index.
>>
>> Blun
> On Oct 8, 2014, at 8:17 AM, holger krekel wrote:
>
> Also, i am worried on principle grounds if pip maintainers are putting
> themselves outside PEP reach, yet pip is distributed along with Python.
We’re not “putting ourselves outside of PEP reach”. We are an external
project and we are not b
On 8 October 2014 21:40, holger krekel wrote:
>
> No, i am not concerned about the extra index supplying whatever packages.
> After all, the users specifies the option and should trust that index.
>
> I am concerned about the fact that public PyPI links are merged in even
> for my private packages
On Wed, Oct 08, 2014 at 13:05 +0100, Paul Moore wrote:
> On 8 October 2014 12:40, holger krekel wrote:
> > I am concerned about the fact that public PyPI links are merged in even
> > for my private packages residing on the extra index.
>
> Bluntly, that's irrelevant.
I disagree. The PEP uses me
On 8 October 2014 12:40, holger krekel wrote:
> I am concerned about the fact that public PyPI links are merged in even
> for my private packages residing on the extra index.
Bluntly, that's irrelevant.
That's how pip works. Maybe it's not the best way, maybe a feature
request for pip would be w
On Wed, Oct 08, 2014 at 21:22 +1000, Nick Coghlan wrote:
> On 8 October 2014 20:57, holger krekel wrote:
> > On Wed, Oct 08, 2014 at 20:27 +1000, Nick Coghlan wrote:
> > Well, for installing NAME from pypi you need to trust that the people
> > who registered and maintain NAME are not doing somethi
On 8 October 2014 20:57, holger krekel wrote:
> On Wed, Oct 08, 2014 at 20:27 +1000, Nick Coghlan wrote:
> Well, for installing NAME from pypi you need to trust that the people
> who registered and maintain NAME are not doing something bad (and the
> machine is not compromised but in that case all
> On Oct 8, 2014, at 7:03 AM, Paul Moore wrote:
>
> On 8 October 2014 11:33, holger krekel wrote:
>>> The use of --extra-index-url in
>>> PEP 470 is to show how someone would add one of the extra repositories for a
>>> project that is indexed on PyPI, which is again roughly as safe as
>>> inst
On 8 October 2014 11:33, holger krekel wrote:
>> The use of --extra-index-url in
>> PEP 470 is to show how someone would add one of the extra repositories for a
>> project that is indexed on PyPI, which is again roughly as safe as installing
>> from PyPI at all.
>
> Then we are reading the section
On Wed, Oct 08, 2014 at 20:27 +1000, Nick Coghlan wrote:
> On 8 October 2014 19:44, Donald Stufft wrote:
> >> On Oct 8, 2014, at 4:44 AM, holger krekel wrote:
> >> I am sorry if raising the issue of private/public compromises sounds
> >> like FUD to you. From my experience it's a real attack vec
On 8 October 2014 20:33, holger krekel wrote:
>
> Then we are reading the sections i cite above very differently -- IMO
> you and the PEP generally push for multi-index ops without explaining
> the risks.
Note that this explanation is present in the PEP:
Currently both pip and setuptools imp
On 8 October 2014 19:44, Donald Stufft wrote:
>> On Oct 8, 2014, at 4:44 AM, holger krekel wrote:
>> I am sorry if raising the issue of private/public compromises sounds
>> like FUD to you. From my experience it's a real attack vector. I talked
>> about this at EP2014 (http://youtu.be/aNrrGf-uN
On Wed, Oct 08, 2014 at 06:24 -0400, Donald Stufft wrote:
> > On Oct 8, 2014, at 6:06 AM, holger krekel wrote:
> >
> > On Wed, Oct 08, 2014 at 05:44 -0400, Donald Stufft wrote:
> >>
> >> I think raising the issue is FUDish because it has nothing to do with using
> >> multi repository support for
On 8 October 2014 20:06, holger krekel wrote:
> Given that PyPI is a wiki and Linux Distros are a curated index, i
> insist it's dangerous to recommend to mix multiple indexes with pip if
> you don't know quite exactly what you are doing. Do you really disagree
> on this?
Hence this line in the
> On Oct 8, 2014, at 6:06 AM, holger krekel wrote:
>
> On Wed, Oct 08, 2014 at 05:44 -0400, Donald Stufft wrote:
>>
>> I think raising the issue is FUDish because it has nothing to do with using
>> multi repository support for things that are registered on PyPI.
>
> Well, the PEP has two cent
On Wed, Oct 08, 2014 at 05:44 -0400, Donald Stufft wrote:
> > On Oct 8, 2014, at 4:44 AM, holger krekel wrote:
> >
> > On Wed, Oct 08, 2014 at 03:47 -0400, Donald Stufft wrote:
> >>> On Oct 8, 2014, at 3:17 AM, holger krekel wrote:
> >>> Worse security problems loom with current multi-index ops
> On Oct 8, 2014, at 4:44 AM, holger krekel wrote:
>
> On Wed, Oct 08, 2014 at 03:47 -0400, Donald Stufft wrote:
>>> On Oct 8, 2014, at 3:17 AM, holger krekel wrote:
>>> Worse security problems loom with current multi-index ops like
>>> the --extra-index-url option which is advertised prominent
On Wed, Oct 08, 2014 at 03:47 -0400, Donald Stufft wrote:
> > On Oct 8, 2014, at 3:17 AM, holger krekel wrote:
> > Worse security problems loom with current multi-index ops like
> > the --extra-index-url option which is advertised prominently in PEP470.
> > You recommend to use it for private pack
> On Oct 8, 2014, at 3:17 AM, holger krekel wrote:
>
> On Tue, Oct 07, 2014 at 08:00 -0400, Donald Stufft wrote:
>>> On Oct 7, 2014, at 6:09 AM, holger krekel wrote:
I had thought of similar things, and my reasons for not using an >>> href> and instead using a meta tag and for removing the
On Tue, Oct 07, 2014 at 08:00 -0400, Donald Stufft wrote:
> > On Oct 7, 2014, at 6:09 AM, holger krekel wrote:
> >> I had thought of similar things, and my reasons for not using an >> href> and instead using a meta tag and for removing the old URLs
> >> instead of just making this in addition to
41 matches
Mail list logo
