On May 11, 2014, at 3:58 AM, Paul Moore <p.f.mo...@gmail.com> wrote:
> On 11 May 2014 08:38, Nick Coghlan <ncogh...@gmail.com> wrote: >> This confusion can likely be resolved by giving the obvious "allow external" >> name to the behaviour most users will want, and a more obscure name like >> "allow verifiable external" to the specialised behaviour folks like Stefan & >> MAL rely on. > > I'm struggling to reconcile Donald's assertion (based, I believe, on > his data from PyPI) that there are only 25 or so packages on PyPI that > are external but safe, and he's hot familiar with any of them, against > the comment that Stefan and MAL are affected by this change. > > https://pypi.python.org/simple/cdecimal/ has no links - maybe because > Stefan withdrew them at the start of this debate. cdecimal used to but Stefan removed them and then posted his message to python-dev. > https://pypi.python.org/simple/egenix-mx-base/ has verifiable external > links. I'm pretty surprised that Donald hasn't heard of mx-base. egenix-mx-base does not have verifiable external links.Verifiable external links must be both directly linked to from the /simple/ index page and must include a hash. egenix-mx-base does not do this. > > Donald, maybe you could post the names of those 25 or so packages? I’d have to recompile the list since I (stupidly) didn’t keep it around. > > Download counts as a gross measure of popularity would be useful here, > but AIUI the current counts are unreliable. Is there any work going on > to get better download counts? That would really help in exercises > like this. Here’s the thing, we can’t use download counts here because we don’t host those files. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
