On Thu, Feb 28, 2013 at 12:16 AM, Aaron Meurer <asmeu...@gmail.com> wrote: > And by the way, this hasn't been mentioned, but I really mean *all* > mentions of Google Code on PyPI. pip crawls Google Code not just > because Google Code listed as an official site for my package or > because the latest release is there, but because a single old release > points there.
Right. My suggestions to move forward on this issue is as follows: 1. New versions of pip and distribute are released that will start warning if they download distributions that are not from PyPI, unless explicitly given a URL to download. 2. After a pre-determined period (6 months?) new versions are again released that no longer download from external sites, unless a parameter is added. We still warn when the parameter is added that this feature will go away. 3. After a year or two we drop the external download completely. I also have suggestions for going forward in general: 1. As far as I can tell, there is no way to ask PyPI what version of the API it's running. Is this correct? If so that should be added. For the /simple/ API we could stick a version header as metadata in the header, maybe? 2. We determine a version number that will break backwards compatibility, is every major version increase. 3. New versions of pip and distribute will check these version numbers and warn (but not fail) if the major version increases, noting that it's time to upgrade. //Lennart _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig