Hi Donald and Holger, Let me try to summarize the core points here to make sure I'm understanding correctly:
1. A transition to allowing only pypi-explicit links (deprecating and removing pypi-*-crawl), as already envisioned in PEP 438, would solve the worst problem that PEP 470 is trying to solve - the user confusion around the multiple levels of --allow-* flags in pip. (I am not claiming it would bring every benefit of PEP 470, just that particular benefit). 2. To make even just that transition requires either a) breaking installation of externally-hosted packages on PyPI without active maintainers (let's call these "legacy packages" for short), or b) automatically scraping their external links and turning them into "verified" links (even though they are not actually verified at all). Is this an accurate summary? If so, I think I agree with Donald that 2b is just not acceptable, which means that some form of 2a is inevitable; it's just a matter of finding the smoothest and simplest deprecation path to get there. Holger seems to be proposing a sort of deprecation path for these packages (or the beginnings of one) involving a new "stale" flag. It seems to me that it would be simpler to just start a deprecation path for pip's --allow-unverified flag, and allow that deprecation path to run its course (with the deprecation message recommending replacing --allow-unverified with the appropriate --find-links). By the time --allow-unverified is removed from pip at the end of this deprecation period, only users of old pip versions might still be relying on legacy packages unawares. At that point, we'd have two choices. We could just leave those unverified links in the simple API for some longer time, choosing not to break legacy installers, and knowing that any modern installer will totally ignore them anyway. Or we could bite the bullet and remove the links, potentially breaking some legacy deploys using legacy installers to install legacy packages. I'm not going to venture an opinion on this choice right now - I think it could be punted to that later date. Getting back to PEP 470 (which I basically support as the direction we should be heading), I'd suggest these changes to the PEP text: 1. A clearer separation of the various problems the PEP is aiming to fix, and acknowledgment that just removing pypi-*-crawl (and leaving pypi-explicit) _would_ address at least the user-confusion issue around pip's flags (because there would only be --allow-external, whose meaning is clear), and might be a reasonable first step along the path towards PEP 470's goals. 2. Add a deprecation path for --allow-unverified; can describe it in general terms as "the PEP 438 installer flag allowing installation of unverified external packages" if you don't want to be pip-specific. Currently PEP 470 has no mention of this, but I think letting a deprecation of --allow-unverified fully run its course _before_ making breaking changes on the PyPI side is a critical part of making this transition in a user-friendlier way. Carl
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
