Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a stable & secure hosted link to the latest Setuptools/pip bootstrap script. #34

Closed
ghost opened this issue Jul 8, 2013 · 10 comments
Closed
Labels

Comments

@ghost
Copy link

@ghost ghost commented Jul 8, 2013

Originally reported by: Ivoz (Bitbucket: Ivoz, GitHub: Ivoz)


Hi, as far as I know this is a desirable to provide a secure way to bootstrap into a "modern" python package installation environment.

@ncoghlan has advised me that currently it is planned to be hosted on pypi.python.org, available under their https connection.

Obvious use-case for this link would be to be allowed in documentation and setup scripts that wouldn't need to change with changes in Setuptools'/pip's version.

@r1chardj0n3s is currently writing a new pip-bootstrap for 3.4 (hopefully backportable)

AFAIK this would install latest versions of setuptools and pip, as they are rather symbiotic.

I just wished to create an issue to track progress of this and so I can update docs when it appears.

As of writing it can be found @ https://bitbucket.org/pypa/setuptools/raw/0.8/ez_setup.py

Analogously, scripts for distribute are hosted under http://python-distribute.org/ although that is not under HTTPS currently. pip's can be found currently at https://raw.github.com/pypa/pip/master/contrib/get-pip.py


@ghost
Copy link
Author

@ghost ghost commented Jul 8, 2013

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):


I've updated the documentation and release script to now use our best available method for hosting (bitbucket downloads). I say best available because that's the technique with which I'm familiar and have been following. I do want to (a) fully mechanize that technique, and (b) update it to use PyPI instead of bitbucket.

Since the release script uses pure Python and now requires 'requests', it should be fairly easy to implement something that uses the PyPI credentials to upload the file.

@ghost
Copy link
Author

@ghost ghost commented Jul 19, 2013

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):


I had another idea for hosting the script. Using Mercurial bookmarks, we can create lightweight reference to the latest stable version. Consider this link:

https://bitbucket.org/pypa/setuptools/raw/stable/ez_setup.py

The ‘stable’ in the URL refers to a bookmark, which will be maintained (and mechanically updated as part of the release process) to refer to the latest stable release.

Alternatively ‘bootstrap’ could be used specifically to refer to the changeset containing the preferred bootstrap script.

There are several advantages to this approach:

  • the file doesn't have to be uploaded or maintained anywhere else
  • anybody with commit access to the repo can update the reference
  • the file is a reference to the actual content rather than a copy.
@ghost
Copy link
Author

@ghost ghost commented Jul 20, 2013

Original comment by Ivoz (Bitbucket: Ivoz, GitHub: Ivoz):


@r1chardj0n3s do you like the above idea?

@ghost
Copy link
Author

@ghost ghost commented Jul 26, 2013

Original comment by prologic (Bitbucket: prologic, GitHub: prologic):


The most useful and secure way I've fount to bootstrap setuptools is to use the following url:

Bump the version as new releases of setuptools are released. I keep the version in a config file as part of my configuration management scripts.

@ghost
Copy link
Author

@ghost ghost commented Jul 26, 2013

Original comment by prologic (Bitbucket: prologic, GitHub: prologic):


I also like the above "bookmarks" idea -- AFAIK bitbucket does support remote (pushed) bookmarks so this would work really wel.

@ghost
Copy link
Author

@ghost ghost commented Jul 26, 2013

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):


With this written latest release, I've updated the release process to update the bookmark 'bootstrap'. Give that a try and let me know how that works for you.

@ghost
Copy link
Author

@ghost ghost commented Jul 26, 2013

Original comment by prologic (Bitbucket: prologic, GitHub: prologic):


Thanks Jason. Ill give it a try!

@ghost
Copy link
Author

@ghost ghost commented Jul 26, 2013

Original comment by Ivoz (Bitbucket: Ivoz, GitHub: Ivoz):


@prologic there is a good use case for needing a permanent (i.e without a version number in it) URL for documentation, tutorials, other scripts, that don't want to be manually updated whenever a new version of setuptools comes out, but do want to refer to the latest version. That's the primary reason I created the issue.

@jaraco thanks for creating that bookmarked url, looks like a nifty way to do it. I'll start using that for now.

@ghost
Copy link
Author

@ghost ghost commented Jul 26, 2013

Original comment by prologic (Bitbucket: prologic, GitHub: prologic):


As i said, bookmarks are a great way to do this.

@ghost
Copy link
Author

@ghost ghost commented Aug 7, 2013

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):


The most current, officially-sanctioned bootstrap can now be persistently found at https://bitbucket.org/pypa/setuptools/raw/bootstrap/ez_setup.py

@ghost ghost added minor task labels Mar 29, 2016
@ghost ghost closed this Mar 29, 2016
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
0 participants