On Tue, Mar 12, 2013 at 11:53 -0400, PJ Eby wrote: > On Tue, Mar 12, 2013 at 7:38 AM, holger krekel <hol...@merlinux.eu> wrote: > > In addition, maintainers of installation tools are asked to release > > two updates. The first one shall provide clear warnings if external > > crawling needs to happen, > > A clarification here: "needs to happen" is not well-specified. An > installer tasked with finding the latest or best-matching version of a > package must currently *always* crawl. So the warning would be > always.
Not after the initial automatic PYPI transition. For the 90% of the packages you wouldn't see the warning then. > The strategy I originally chose for making this change in easy_install > is to warn once at the beginning that --allow-hosts has not been set, > and thus packages might be downloaded from anywhere on the internet. >From a UI perspective i'd like to see a summary of actually consulted but non-specified websites (including if it was http or https) at the very end of an installers output. With "non-specified" i mean sites that weren't specified as an indexserver or allow-host. > I've since become uncertain that this change is actually workable in > the short term, since until most of the packages are actually moved > onto PyPI, a lot of installs will fail if somebody changes their > configuration to be more secure. So I'm thinking the warning needs to > be deferred until at least the more popular packages have moved to > PyPI. I think it's fine to wait until after the initial "hosting-mode" transition. > > Now, if there is some agreement, i can submit this PEP officially tomorrow, > > and given agreement/refinments from the Pycon folks and the likes of > > Richard, we may be able to get going very shortly after Pycon. > > I'd like to suggest that the PEP should be explicit that no other > changes to the /simple generation algorithm are being made, just the > removal or alteration of rel="" attributes. i.e., it will still be > possible -- at least in the near term -- for projects to include > explicit download links to files made available elsewhere. Changing > that situation is more controversial and will require wider community > participation than has occurred to date. I kind of agree. To transition forward , we should leave out the question of further modifying the "simple/" pages at the moment. Mentioning that this means you can put "http://PKGNAME-VER.tar.gz" in your PKGNAME long_description or download_url metadata makes sense. For that, the installers will give warnings, however, and eventually change defaults according to the PEP draft. > It might also be good to suggest that authors of PyPI clones plan > their own phase-out of rel="" attributes. Most alternative servers i've seen don't use the "rel" attribution but it's good to mention it. best, holger _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig