On Sunday, February 24, 2013 at 7:15 PM, Richard Jones wrote: > On 23 February 2013 10:47, Giovanni Bajo <ra...@develer.com > (mailto:ra...@develer.com)> wrote: > > Uh-uh, never known this until today. Then this is, by itself, a possible > > security hole. I would like to see this fixed somehow (either removing the > > feature, and making sure installation tools match the web ui experience). > > > > > Package owners need to be able to promote the current version(s) of > their package and hide old, unsupported versions. Those older versions > need to be online for version-locked installations to work. > > Donald's crate UI might be appropriate for PyPI. Not sure. The > handling of old packages is a delicate issue - if we start exposing > hidden releases then some package maintainers might just delete the > old packages. And then I'd have a whole other set of people yelling at > me :-) > >
No idea if it would be or not, On Crate there is no deleting anything (unless you delete the entire project). Crate maps "Delete" on PyPI to "yank". In the simple API: - A yanked release is only available if you're pinned exactly to that release In the Web UI: - A yanked release is displayed crossed out with a prominent warning and exists mainly as a record that the release used to exist. Crate has no other concept of hiding a release. > > > Richard
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig