On May 10, 2014, at 8:24 AM, Paul Moore <p.f.mo...@gmail.com> wrote:
> On 10 May 2014 12:57, Nick Coghlan <ncogh...@gmail.com> wrote: >> Actually, I expect folks like Stefan & MvL would likely want to be able to >> preserve the current "--allow-external" behaviour. The change Donald is >> suggesting could then just be a matter of renaming the current >> "--allow-external" to "--allow-safe-external", and making "--allow-external" >> and " --allow-unverifiable" synonyms. >> >> The error messages would still recommend "--allow-external", since that is >> likely what would be needed to solve any installation problems related to >> externally hosted files. > > The thing is, the current --allow-external helps basically no-one. If > the people who wanted the behaviour preserved switched their packages > to include hashes, so that they didn't *also* need > --allow-unverifiable, then keeping both (in some form) would make more > sense. But at the moment, the *only* people who can justifiably say > they want --allow-external to be retained are the authors of the > 26[1][2] verifiable but external packages on PyPI, and that's not a > big enough group to justify the confusion caused by having two similar > but subtly different options. The confusion is *massive* I've tried to explain the difference to many different people and I'm not sure any of them have ever grok'd what it meant. It got bad enough I eventually made --allow-unverified imply --allow-external and I started recommending to people to just use --allow-unverified because it was simpler and did "the right thing" in basically every case. It's a common pitfall of OSS software to try and please everyone. Often this ends up leading to a huge number of flags, options, or preferences. This is one of the things that have traditionally caused OSS software to have horrendous UIs. Every preference has a cost [1] and this particular preference there does not seem to be enough benefit to counterbalance the cost of it. > > Paul > > [1] See Donald's email. "And looking even closer at those, only 0.07% > (26) of them will have the outcome of ``pip install whatever`` change > (in other words, the latest version requires external+safe)." > [2] Apologies if Stefan and MAL are among those authors - it's not > clear to me if that's the case from the information I have. But even > if they are, the numbers argument is still pretty compelling. For what it’s worth argparse is now hosted on PyPI completely[2], so now there is 25! [1] http://ometer.com/free-software-ui.html [2] https://twitter.com/jezdez/status/464861314444451840 ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
