Hi,
Andreas Jung wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there,
I propose a policy change for packages registered with PyPI:
- packages registered on PyPI have at least one release
- one release of registered package on PyPI _must_ contain
a valid source code distribution (sdist)
- packages registered on PyPI without releases or without
source code release are subject to be removed after N days
after the day of registration
Why?
Any package registered on PyPI is possibly crucial to any kind of
development and deployment.
Packages hosted on external servers (referenced through a download_url)
are subject to come and go - packages once released should be available
at any time from a well-known location (PyPI). Dependencies on the
availability of external downloads servers other than PyPI are hardly
acceptable for real-world development and deployments.
As an example: the Plone CMS buildouts depend on python-openid.
This package is registered with PyPI
http://pypi.python.org/pypi/python-openid
but references to
http://openidenabled.com/files/python-openid/packages/python-openid-2.2.4.tar.gz
For whatever reason the download URL is no longer working. In fact:
openidenabled.com now points to http://www.janrain.com.
FWIW, I have uploaded a local copy of that file to:
http://dist.plone.org/thirdparty/python-openid-2.2.4.tar.gz
Other reasons for disappearing package in the past:
- network or server outages of external servers
- users changed their organization and the organization removed
content of their former employees
PyPI is a valuable and crucial resource for Python development.
It must be kept up-to-date and consistent.
I don't care about the arguments that were made in the past against
stronger rules ("openness" etc.).
There are a lot of Python programmers around that are not Python geeks
as most of us are and they just become pissed of when packages come and
go or are not in the place where one would expect them.
PyPI is a community resource - but community does not mean anarchy where
everyone should be able to upload its package crap without looking left
and right and having the community and its needs in mind.
PyPI must become a stable package index. Everything registered with PyPI
must be available at any time (mirrors, distributing PyPI in the cloud...).
Andreas
- --
ZOPYX Limited | zopyx group
Charlottenstr. 37/1 | The full-service network for Zope& Plone
D-72070 Tübingen | Produce& Publish
www.zopyx.com | www.produce-and-publish.com
- ------------------------------------------------------------------------
E-Publishing, Python, Zope& Plone development, Consulting
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwZowgACgkQCJIWIbr9KYyclQCglMaIFnObClOn3sPfwBWbnV1w
YboAoL8OSErCHFi0nXD4tbF8VnYgbc/i
=3m/N
-----END PGP SIGNATURE-----
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
--
Alex Clark · http://aclark.net
Author — Plone 3.3 Site Administration · http://aclark.net/admin
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
