On Tuesday, February 5, 2013 at 4:02 PM, Terry Reedy wrote:
> On 2/5/2013 8:02 AM, Jesse Noller wrote: > > > > > > On Feb 5, 2013, at 7:51 AM, Donald Stufft <[email protected] > > (mailto:[email protected]) > > <mailto:[email protected]>> wrote: > > > > > On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote: > > > > 1. Packages should only be installed from the given package indexes. > > > > No scraping of websites as at least easy_install/buildout does, no > > > > downloading from external download links. A deprecation period for > > > > this of a couple of months, to give package authors the chance to > > > > upload their packages is probably necessary. > > > > > > > > > PyPI will need to change for this to happen realistically if I recall. > > > There is a > > > hard limit on how large of a distribution can be uploaded to PyPI and > > > there > > > are, if I recall, valid distributions which are larger than that. > > > > > > Personally I want the installers to only install from PyPI so my > > > suggestion > > > if this is something that (the proverbial) we want to do, PyPI should gain > > > some notion of a soft limit for distribution upload (to prevent against > > > DoS) with the ability to increase that size limit for specific > > > projects who > > > can file a ticket w/ PyPI to have their limit increased. > > > > > > > > I strongly concur; however this does mean I will need to work with the > > board to procure additional storage or we will need to take the monthly > > storage hit and push it to s3 or another CSP. > > > > It seems to me that only downloading from PyPI is as extreme as > downloading from anywhere and everywhere. Why is downloading form > code.google.com (http://code.google.com), for instance, worse than from > pypi.python.org (http://pypi.python.org)? I > suspect their uptime and security is *better* than that of ours. Dittle > for SourceForge. Why should PSF, with limited resources, pay for what > Google, for instance, with its massive resources, gives out for free? I > would rather the money went, for instance, to pay someone to review and > push patches that no one will look at for free. Or pay someone to work > on some of the hard security issues that are not being solved as fast as > they should be otherwise. Find that person and we'll pay them too. _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
