[tahoe-lafs-trac-stream] [tahoe-lafs] #1582: setuptools delenda est

[tahoe-lafs]

#1582: setuptools delenda est
----------------------------+------------------------
     Reporter:  davidsarah  |      Owner:  somebody
         Type:  defect      |     Status:  new
     Priority:  major       |  Milestone:  undecided
    Component:  packaging   |    Version:  1.9.0b1
   Resolution:              |   Keywords:  setuptools
Launchpad Bug:              |
----------------------------+------------------------

Comment (by dstufft):

 I don't believe the packaging tools need rewritten from scratch to enable
 secure install.

 pip *will* verify the integrity of the downloads if it has that
 information available. Currently it is using md5 to do that (although
 that's not pip's doing, it supports md5, sha1, and sha2). At the urging of
 some members of ooni I am preparing to "once more into the breach" to
 fight for a better hash on PyPI.

 The behavior described in the ooni pull request about scraping is mostly
 correct. However on July 1st I removed most link scraping from PyPI and
 the imminent pip 1.4 release makes the insecure external scraping opt-out
 on the installer side, and 1.5 will make it opt-in.

 There is currently nothing like peep where you can bake a hash into a
 requirements.txt and verify against that, but it is something I want to
 enable. (As a side note, the above probably failed, because I don't
 believe a requires.txt is going to have the same format as
 requirements.txt).

 Beyond that can you provide more information on:

     * "it frequently downloads, builds, installs, and/or runs the wrong
 code"
     * "it frequently gives incorrect, misleading, or insufficient
 information about what it is doing"

 The other issues I believe are either fixed, or are becoming fixed.

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1582#comment:6>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage