Issue #82 wontfix

Remove usage of subprocess, wget, curl etc.

sureshvv
created an issue

Why can't we just use urllib2 for downloading the tarball file?

Will have fewer runtime depedencies and make the code easier to maintain.

Will not result in error messages like:


subprocess.CalledProcessError: Command '['wget', 'https://pypi.python.org/packages/source/s/setuptools/setuptools-1.1.6.tar.gz', '--quiet', '--output-document', '/home/s2/repos/setuptools/setuptools-1.1.6.tar.gz']' returned non-zero exit status 4

We can also add md5sum check for file size.

Comments (4)

  1. Jason R. Coombs

    These routines were recently added to make downloading of setuptools secure. urllib2 doesn't support certificate validation, so doesn't provide a means for establishing a trusted channel. You can pass --insecure to ez_setup if you want to bypass using the secure downloaders.

    Perhaps it would be worthwhile to trap CalledProcessErrors and provide a nicer error message.

    There is already an open issue (#7) for validating the tarfile. The challenge becomes distributing the "valid" hashes securely.

  2. Jason R. Coombs

    We have considered those. They require bundling certificate libraries and SSL support, which is particularly tricky when trying to support multiple platforms and Python versions back to 2.4. It's also a bit of a chicken/egg problem. How do you download the packages you need to run setuptools if you don't already have an installer to install them. Future versions of Python will have a pip bootstrap which will be able to install setuptools securely and without external tools. In the meantime, this technique provides broad compatibility and security in a single bootstrap script.

  3. Log in to comment