diff options
Diffstat (limited to 'README.txt')
| -rwxr-xr-x | README.txt | 45 |
1 files changed, 43 insertions, 2 deletions
@@ -5,6 +5,36 @@ Installing and Using Setuptools .. contents:: **Table of Contents** +---------------------------------- +Security Issues - Read this First! +---------------------------------- + +Setuptools and ``easy_install`` currently default to allowing automated +download and execution of code from anywhere on the internet, without actually +verifying the owners of the websites or the authors of the code. If you want +your installation to be more secure, you will need to: + + 1. Manually install the `requests <https://pypi.python.org/pypi/requests>`_ + library **after** installing setuptools, using an SSL-enabled browser or + other tool. (This will enable SSL certificate verification.) + + 2. Configure your default ``--allow-hosts`` setting so that ``easy_install`` + will only download from sites you trust. (E.g., to only download from + ``pypi.python.org`` or some other trusted package index.) + + 3. If you are using a Python version less than 2.6, you will also need to + install the `SSL backport module <https://pypi.python.org/pypi/requests>`_ + to enable SSL downloads from PyPI. (Unfortunately, the ``requests`` + package does not support older versions of Python at this time, so SSL + certificate verification will not be enabled. But at least you'll still be + able to use PyPI, which is in the process of switching to an all-SSL policy + for downloads. + +For more information on how to do all of the above, and for other security- +related information, please see the full `setuptools security documentation +<http://peak.telecommunity.com/DevCenter/SetuptoolsSecurity>`_. + + ------------------------- Installation Instructions ------------------------- @@ -12,7 +42,17 @@ Installation Instructions Windows ======= -Install setuptools using the provided ``.exe`` installer. If you've previously +32-bit version of Python + Install setuptools using the provided ``.exe`` installer. + +64-bit versions of Python + Download `ez_setup.py`_ and run it; it will download the appropriate .egg file and install it for you. (Currently, the provided ``.exe`` installer does not support 64-bit versions of Python for Windows, due to a `distutils installer compatibility issue`_ + +.. _ez_setup.py: http://peak.telecommunity.com/dist/ez_setup.py +.. _distutils installer compatibility issue: http://bugs.python.org/issue6792 + + +NOTE: Regardless of what sort of Python you're using, if you've previously installed older versions of setuptools, please delete all ``setuptools*.egg`` and ``setuptools.pth`` files from your system's ``site-packages`` directory (and any other ``sys.path`` directories) FIRST. @@ -90,7 +130,7 @@ Downloads All setuptools downloads can be found at `the project's home page in the Python Package Index`_. Scroll to the very bottom of the page to find the links. -.. _the project's home page in the Python Package Index: http://pypi.python.org/pypi/setuptools +.. _the project's home page in the Python Package Index: http://pypi.python.org/pypi/setuptools#files In addition to the PyPI downloads, the development version of ``setuptools`` is available from the `Python SVN sandbox`_, and in-development versions of the @@ -159,3 +199,4 @@ Credits "Code Bear" Taylor) contributed their time and stress as guinea pigs for the use of eggs and setuptools, even before eggs were "cool". (Thanks, guys!) +.. _files: |