Paul Ganssle
Paul Ganssle
> I am not trying to build a package named 'test', the package is named 'cogid'. It is a wrapper for boto3 Coginito Identity. I don't think you or anyone...
> We could also, for each test, put the artefacts we want to test (latest setuptools wheel, pip master sdist, etc) in a directory packages and use pip options `--no-index...
> Ideally, a local index is the best option, assuming no tools clear environment variables (I know tox does for some, but I don't imagine it would be the pip...
@Carreau > * If we want to replace `python setup.py install|develop`, do we still want to mention it in the docs, or (almost) completely remove any mentions ? Telling users...
What is the argument for putting it onto the blocked list, particularly if Filipe is going to put a legitimate package there? It's possible someone will typo it and it...
> Typos like `pip install install ` Yeah, I get that it is something you might install accidentally, but I might also mindlessly type *anything* in there. The only problem...
> Assuming that `install` never gets compromised, ofc. Sure, but if the threat model is "package compromise", then it's no different whether it is deliberately installed or accidentally installed. In...
`setuptools` is definitely a better place for this than `distutils`, for various reasons. One thing I'll note is that we're trying to move away from any user-facing `setup.py` invocations, so...
Thanks for kicking off this process, Hugo! I think we can follow the road map from [`setup.py test`](https://github.com/pypa/setuptools/pull/1878) and [`setup.py upload`/`register`](https://github.com/pypa/setuptools/pull/1898): 1. Add deprecation warnings for 9-12 months (with tests)....
Oh, one thing I'll note: It is a lot easier to start shipping the `right/` zones later if someone needs them than it is to stop shipping them if we...