site, eggs, etc.

Before I complained about why .pth files are not processed in files on in your $PYTHONPATH. I got a few pointers in that regard, thanks for them. And now I know why it doesn't happen: you can import foo, bar;; bar.harm() inside a .pth file. Since this happens also when system programs are executed a user can effectively do anything they want, just imagine a python script setuid root. One could argue a script like that should start using #!/usr/bin/env python -S but still.

So the solution is described in the easy_install documentation. Create a $PREFIX/lib/python2.X/site-packages/ with the malicious import statement in forcing the user's path to be processed for .pth files. Ok, that introduces the above mentioned security hole. You can also do it entirely safe (and while only being a user) and create a virtual python in your home directory, which is as I understand it a symlink farm to the system python. A bit a crude hack I think but it works I guess.

Having that out of the way I experimented a bit with the setuptools themselves (while attempting to install TurboGears, which I eventually succeeded in). So here are my initial remarks about it:

I feel like I've ranted too much already and realise people have been working hard on this. While I'm not too enthusiastic I can see some of the merits. In a later post I hope to outline some ideas I've had to solve some of my problems. In an ideal world I'd do some coding too, but I know I don't have lots of time. From what I've been thinking up so far most is possible with the current setuptools infrastructure, which is good as they are being adapted by many people. Only gpg signing will need people to learn a new habit, ideally will ask for this at some time in the future.