On 11 May 2014 17:58, "Paul Moore" <p.f.mo...@gmail.com> wrote: > > On 11 May 2014 08:38, Nick Coghlan <ncogh...@gmail.com> wrote: > > This confusion can likely be resolved by giving the obvious "allow external" > > name to the behaviour most users will want, and a more obscure name like > > "allow verifiable external" to the specialised behaviour folks like Stefan & > > MAL rely on. > > I'm struggling to reconcile Donald's assertion (based, I believe, on > his data from PyPI) that there are only 25 or so packages on PyPI that > are external but safe, and he's hot familiar with any of them, against > the comment that Stefan and MAL are affected by this change.
Let me be clear: this is *not* a technical decision from my perspective. It is a relationship management one, specifically in regards to maintaining the still fragile delegation of authority from python-dev to PyPA. We currently have two core developers (Stefan Krah & Marc-Andre Lemburg) that are *very* unhappy with the way pip is evolving, because they favour the use of external hosting over uploading their packages to PyPI. While that is a minority opinion in the Python community at large, it still represents a significant proportion of the core developers that actually pay much attention to packaging issues. Regardless of the technical merits of PEP 438, that disagreement places a strain on the trust relationship between python-dev & PyPA, the same relationship we rely on as part of getting proposals like PEP 453 (and hopefully the eventual inclusion of ensurepip in a 2.7 maintenance release) approved. Donald's proposal is to take a situation that Stefan and MAL are *already* unhappy with and make it even *worse*, by making it impossible to opt in to verifiable external links without also opting in to unverifiable ones. Even with the PyPI numbers to back it up, the fast time line currently makes it possible to view that proposal as a fit of pique directed at Stefan & MAL, rather than as a well considered design decision. By contrast, keeping the current "allow verifiable external links" behaviour available as a renamed option prevents that misreading of the situation: moving the problematic feature aside rather than deleting it entirely makes it much clearer that the purpose really is the officially stated one (making things less confusing for most users), and the timing is largely coincidental, with the python-dev discussion simply acting as a trigger for people to start seriously discussing ways to improve the usability of these options. Regards, Nick.
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
