Merge pull request #1494 from dstufft/add-a-note

dstufft · dstufft · commit 1055f42c1f8e · 2014-01-22T12:18:07.000-08:00
Add a note that explains about the big binary blob at the top of get-pip...
diff --git a/contrib/get-pip.py b/contrib/get-pip.py
@@ -1,5 +1,23 @@
 #! /usr/bin/env python
 
+# Hi There!
+# You may be wondering what this giant blob of binary data here is, you might
+# even be worried that we're up to something nefarious (good for you for being
+# paranoid!). It is a base64 encoded bz2 stream that was stored using the
+# pickle module.
+#
+# Pip is a thing that installs packages, pip itself is a package that someone
+# might want to install, especially if they're looking to run this get-pip.py
+# script. Pip has a lot of code to deal with the security of installing
+# packages, various edge cases on various platforms, and other such sort of
+# "tribal knowledge" that has been encoded in it's code base. Because of this
+# we basically include an entire copy of pip inside this blob. We do this
+# because the alternatives are attempt to implement a "minipip" that probably
+# doesn't do things correctly and has weird edge cases, or compress pip itself
+# down into a single file.
+#
+# If you're wondering how this is created, the secret is
+# "contrib/build-installer" from the pip repository.
 sources = """
 QlpoOTFBWSZTWYVCtNgG3an//////////////////f////JFQAJgREZKBERAEJBEQABMZBnu8QeH
 Pr6GZh9HQAAFAUHKEA1rNt6y7UUKyNBoGgUFNJtrFVFAKaAGhoZmO6gBj3AOg+UgpFQpVBAnXJ99
diff --git a/contrib/packager/template.py b/contrib/packager/template.py
@@ -1,5 +1,23 @@
 #! /usr/bin/env python
 
+# Hi There!
+# You may be wondering what this giant blob of binary data here is, you might
+# even be worried that we're up to something nefarious (good for you for being
+# paranoid!). It is a base64 encoded bz2 stream that was stored using the
+# pickle module.
+#
+# Pip is a thing that installs packages, pip itself is a package that someone
+# might want to install, especially if they're looking to run this get-pip.py
+# script. Pip has a lot of code to deal with the security of installing
+# packages, various edge cases on various platforms, and other such sort of
+# "tribal knowledge" that has been encoded in it's code base. Because of this
+# we basically include an entire copy of pip inside this blob. We do this
+# because the alternatives are attempt to implement a "minipip" that probably
+# doesn't do things correctly and has weird edge cases, or compress pip itself
+# down into a single file.
+#
+# If you're wondering how this is created, the secret is
+# "contrib/build-installer" from the pip repository.
 sources = """
 @SOURCES@"""
 
