> On Oct 13, 2014, at 2:23 PM, Donald Stufft <[email protected]> wrote: > > Alright, here's yet another go at PEP 470. > > See it online at www.python.org/dev/peps/pep-0470/ or reproduced in full down > below. The diff between this version and the last is available at > https://hg.python.org/peps/rev/2855fa903e89. > > Important Notes: > > * Continue to use a ``<meta>`` link instead of an href to prevent older > installers from silently picking up insecure hosting URLs. > > * Reduce the overall impact by dropping the special case for PIL and instead > scan all projects for URLs which add installable files and move them to > the new external repository feature. > > * Reduce the overall impact by explicitly stating that PyPI will add the > location of any external repository in the UI for people using installers > which have not implemented the discovery feature. > > * Explicitly call out the key user experience requirements of a solution to > the general problem. > > * Simplify the ``<meta>`` tag a bit, and also add explicit repository vs > find-links types as well as include an example of the ``find-links`` type. > > * Allow a project to both host files on PyPI and register external > repositories, > these can be used for things which cannot be hosted on PyPI such as data > files or Linux Wheels while still using PyPI as the repository for "regular" > situations. > > * Mandate that the discovery mechanism must exist in a released pip prior to > starting the deprecation process (with the exception of ``pypi-only`` for new > projects) and call this out using an important admonition. > > * Explicitly call out the fact that 99.5% of the users of the deprecated > features are doing so unsafely. > > * Explicitly reject the idea of preserving the existing links indefinentely. > > * Removed all examples which used the ``--extra-index-url`` feature of pip to > remove the distraction of the discussion of how that currently works and in > what scenarios it's safe or unsafe. > > > Compatability: > > I've thought it over and gone back and forth on it to myself and others. I > cannot justify an attempt to preserve backwards compatability when that > backwards compatability is almost entirely unsafe to begin with. What I have > done is remove the special case of PIL and essentially apply that to all > projects. This should mean that all projects should have the correct metadata > immediately without any need for interaction by the authors of said projects. > I've also explicitly included adding the new metadata to the PyPI web UI to > improve the discoverability for users of installers which don't have the > discovery features. > > PEP: > > [lots and lots of words]
I forgot to mention, I’ve also added that installers should implement a feature by which you can white or blacklist specific projects from being installed from a particular repository. --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
