On Wed, 5 Jul 2023 at 15:07, Jonathan Crall <erote...@gmail.com> wrote: > > I like the idea of a vetted package index that pip can point to. The more I > think about it, the more I think that it needs some sort of peer review > system as the barrier to entry, and my thoughts to to establishing some DeSci > DAO that could distribute the peer review of packages amongst a set of > trusted maintainers while also being a mechanism to add new trusted > maintainers to the peer-review pool. Peer reviewers could be funded via a fee > to submit a package for publishing. There are a lot of open questions of how > this would be done correctly - or even if this is necessary - but I think to > achieve a scalable, funded, decentralized, and trustworthy package index a > DAO makes some amount of sense. >
This adds up to a HUGE barrier to entry for new packages. For your proposal to be successful, a good number of users would need to point pip to the vetted index and NOT to the normal one (otherwise there's no benefit - you're just getting non-vetted packages), and in order for a new package to become relevant, it needs to: 1. Pay money. Even if it's not a huge dollar amount, that is already a very significant barrier for casual users. 2. Get reviewed. This is going to take time. 3. Pass the review. If the review system is at all meaningful, it has to knock some packages back, otherwise all you have is "pay to be visible" which is a horrible system. 4. OR, instead of those steps: Convince your users to switch to the "untrusted" package repository. That makes for a very closed-off ecosystem, where an incumbent has a dramatic advantage over anything that comes along. It would almost certainly require that vetted packages not depend on non-vetted packages (otherwise you'd need some bizarre mechanic whereby "pip install package-name" looks at one repository, but it resolves dependencies by looking at a different one), so nothing would have a chance to be seen in the walled garden until you get it vetted AND recognized. So, sure, this would make life easier for those who want to randomly download packages without thinking about them, but at the cost of making the package repository extremely minimalist and insular. It'd make the Python packaging ecosystem look as unfriendly as iPhone app publishing. ChrisA _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/2WLUMPDRTDVWIHWIJ7KINPF6LD4KRDCY/ Code of Conduct: http://python.org/psf/codeofconduct/
