On Feb 27, 2013, at 1:31 PM, PJ Eby wrote: > On Wed, Feb 27, 2013 at 4:04 PM, Lennart Regebro <rege...@gmail.com> wrote: >> On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor <mord...@inaugust.com> wrote: >>>> But wouldn't this only be a change in pip/easy_install, not PyPI >>>> itself? I suppose you could explicitly break the external links by >>>> having them point to nothing if you are worried about the security or >>>> if it's some performance issue (that would indeed be a bad >>>> compatibility break, in case people are using those for other >>>> purposes). Otherwise, if it's a problem, then just use the old >>>> version of pip. >>> >>> If we don't remove the feature from pypi itself >> >> It isn't a feature of PyPI. PyPI doesn't require you to upload the >> files to PyPI. For that reason, easy_install and PIP will scrape >> external sites to be able to download the files. >> >> What we should do is agree that this should stop, > > So far, I don't think anybody's talking to the right "we" for stopping > it. It's the tools that control this, not PyPI. (PyPI can't actually > stop the tools from using this information without also making itself > a lot less useful to *humans* at the same time.) > > As far as my personal position on the matter, I think that it's > reasonable to deprecate the scraping of home page and download links. > As somebody pointed out, expired domains are a potentially nasty > problem there. > > OTOH, I currently make development snapshots of setuptools and other > projects available by dumping them in a directory that's used as an > external download URL. Replacing that would be a PITA because PyPI > only lets you upload and register new releases from distutils' command > line. Basically, I'd need to use a download link that pointed to a > "latest" URL that redirected to the final download. > > Anyway, I'm not seeing much discussion here about how to help authors > make changes to their release processes. Note that many popular and > long-lived projects (pywin32, PIL, etc.) have similar issues. (Not to > mention the newer projects that host directly from revision control.) > > Given that easy_install was deliberately designed so that those guys > would *not* need to change their hosting strategies to get automated > downloads, I'd like to see more talk about how we're going to help > people change their releasing and hosting strategies.
To be honest, either they will adapt or replacements will arise (see also: Pillow). PIL is a great example of something that can and _should_ be completely broken since it is already 90% broken anyway. --Noah
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
