On May 8, 2014, at 11:37 AM, M.-A. Lemburg <mal at egenix.com> wrote: > On 08.05.2014 16:42, M.-A. Lemburg wrote: >> On 08.05.2014 15:58, Donald Stufft wrote: >>> >>> On May 8, 2014, at 9:39 AM, M.-A. Lemburg <mal at egenix.com> wrote: >>> >>>> Well, to be fair and leaving aside uptime concerns and the general >>>> desire to always install packages from some server instead of >>>> a safe and trusted local directory (probably too obvious ;-), >>>> it would certainly be possible to add support for >>>> trusted externally hosted packages. >>> >>> There is support for trusted externally hosted packages, you put the URL in >>> PyPI and include a hash in the fragment like so: >>> >>> http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56 >>> >>> The hash can be md5 or any of the sha-2 family. >>> >>> Now this does not mean that ``pip install cdecimal`` will automatically install >>> this, because whether or not you're willing to install from servers other than >>> PyPI[1] is a policy decision for the end user of pip. >> >> Hmm, if you call that feature "trusted externally hosted packages", >> pip should really do trust them, right ? ;-) >> >> I can understand that pip defaults to not trusting URLs which don't >> meet the above feature requirements, but not that it still warns >> about unreliable externally hosted packages even if the above >> feature is used. >> >> At the moment, pip will refuse to use an externally hosted files even >> if the package author uses the above hashed URLs; even with HTTPS >> and proper SSL certificate chain. > > Could this perhaps be changed/reconsidered for pip ? > > Note that easy_install/setuptools does not have such problems. Anything can be changes or reconsidered of course. I feel pretty strongly that an installer should not install things from places other than the index without a specific opt in. That discussion would be best done on distutils-sig as it would require reversing the decision in PEP438. I really don't feel strongly one way or the other about the *warning* that happens when you allow an external file. It exists primarily because at the time it was implemented external files were default to allowed. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://mail.python.org/pipermail/python-dev/attachments/20140508/35c8293a/attachment.sig>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4