On 2/5/2013 8:02 AM, Jesse Noller wrote:
On Feb 5, 2013, at 7:51 AM, Donald Stufft <donald.stu...@gmail.com
<mailto:donald.stu...@gmail.com>> wrote:
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1. Packages should only be installed from the given package indexes.
No scraping of websites as at least easy_install/buildout does, no
downloading from external download links. A deprecation period for
this of a couple of months, to give package authors the chance to
upload their packages is probably necessary.
PyPI will need to change for this to happen realistically if I recall.
There is a
hard limit on how large of a distribution can be uploaded to PyPI and
there
are, if I recall, valid distributions which are larger than that.
Personally I want the installers to only install from PyPI so my
suggestion
if this is something that (the proverbial) we want to do, PyPI should gain
some notion of a soft limit for distribution upload (to prevent against
DoS) with the ability to increase that size limit for specific
projects who
can file a ticket w/ PyPI to have their limit increased.
I strongly concur; however this does mean I will need to work with the
board to procure additional storage or we will need to take the monthly
storage hit and push it to s3 or another CSP.
It seems to me that only downloading from PyPI is as extreme as
downloading from anywhere and everywhere. Why is downloading form
code.google.com, for instance, worse than from pypi.python.org? I
suspect their uptime and security is *better* than that of ours. Dittle
for SourceForge. Why should PSF, with limited resources, pay for what
Google, for instance, with its massive resources, gives out for free? I
would rather the money went, for instance, to pay someone to review and
push patches that no one will look at for free. Or pay someone to work
on some of the hard security issues that are not being solved as fast as
they should be otherwise.
--
Terry Jan Reedy
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
