Abort installation immediately #2
Conversation
|
Yeah, we could head this direction. For sure user should be notified somehow that what he typed that is not exactly the same as he intended to type. Right now the effect is close to the expected one but let's ignore this fact. But I think we could do a bit more here. Something fun. pip goes a very long way to hide the output of package installation. Why not to take the opportunity and show that this can be easily bypassed? Or maybe think about something similar to {{sl}} command. Thing that will be reasonably harmless but can make the user to think more about his actions. Of course your PR falls into category of such things but honestly I would prefer to remove it from PyPI (and leave the name for other trickster to take), than to distribute a package with only import error inside. And also one formal question: Why did you remove |
aanand
force-pushed
the
abort-installation
branch
from
811358b
to
0b825c9
Compare
aanand
force-pushed
the
abort-installation
branch
from
0b825c9
to
b002121
Compare
|
(Sorry about If you want to make it display something more fun than just an error message, that's cool, but this PR is at least a step in the right direction. As raised in #1, the current behaviour is unhelpful, because it leads to difficult-to-track-down errors - accordingly, I'd strongly advocate merging/publishing this change and worrying about how fun it is later. Whatever this package's behaviour, I'd also argue for keeping it free of snark. When people realise they've made a simple typing error, they're not going to appreciate being mocked for it. It's great that you want to use this as an opportunity to highlight the insecurity of a distribution tool like pip, but the Python community has long had a culture of being nice to programmers, and it's one of the reasons I like it here. It's of course completely up to you whether or not to take on this responsibility in the first place. If you'd rather not, then by all means unpublish - but know that the next person might have malicious intent. For example, it's not hard to imagine that there might be people watching PyPi for recently-removed packages, hoping to inject malicious replacements to take advantage of people who haven't updated their dependencies yet. A better approach might be to first lobby the pip and/or PyPi teams to better address this issue, before taking the package down. In any case, as I say, right now I think merging this PR is a win-win. |
|
I have merged this manually, updated |
|
🍰 |
After reading #1, I think the best solution (without involving changes to PyPi or
pip) is to abort the installation immediately with a helpful message. This has the advantage (over just deleting the package) of making it impossible for someone else to put something malicious there.Forgive my code - I don't know much about setuptools/distutils. I did the simplest thing that seemed to work.