[Catalog-sig] Deprecate External Links
Noah Kantrowitz
noah at coderanger.net
Wed Feb 27 22:37:24 CET 2013
On Feb 27, 2013, at 1:31 PM, PJ Eby wrote:
> On Wed, Feb 27, 2013 at 4:04 PM, Lennart Regebro <regebro at gmail.com> wrote:
>> On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor <mordred at inaugust.com> wrote:
>>>> But wouldn't this only be a change in pip/easy_install, not PyPI
>>>> itself? I suppose you could explicitly break the external links by
>>>> having them point to nothing if you are worried about the security or
>>>> if it's some performance issue (that would indeed be a bad
>>>> compatibility break, in case people are using those for other
>>>> purposes). Otherwise, if it's a problem, then just use the old
>>>> version of pip.
>>>
>>> If we don't remove the feature from pypi itself
>>
>> It isn't a feature of PyPI. PyPI doesn't require you to upload the
>> files to PyPI. For that reason, easy_install and PIP will scrape
>> external sites to be able to download the files.
>>
>> What we should do is agree that this should stop,
>
> So far, I don't think anybody's talking to the right "we" for stopping
> it. It's the tools that control this, not PyPI. (PyPI can't actually
> stop the tools from using this information without also making itself
> a lot less useful to *humans* at the same time.)
>
> As far as my personal position on the matter, I think that it's
> reasonable to deprecate the scraping of home page and download links.
> As somebody pointed out, expired domains are a potentially nasty
> problem there.
>
> OTOH, I currently make development snapshots of setuptools and other
> projects available by dumping them in a directory that's used as an
> external download URL. Replacing that would be a PITA because PyPI
> only lets you upload and register new releases from distutils' command
> line. Basically, I'd need to use a download link that pointed to a
> "latest" URL that redirected to the final download.
>
> Anyway, I'm not seeing much discussion here about how to help authors
> make changes to their release processes. Note that many popular and
> long-lived projects (pywin32, PIL, etc.) have similar issues. (Not to
> mention the newer projects that host directly from revision control.)
>
> Given that easy_install was deliberately designed so that those guys
> would *not* need to change their hosting strategies to get automated
> downloads, I'd like to see more talk about how we're going to help
> people change their releasing and hosting strategies.
To be honest, either they will adapt or replacements will arise (see also: Pillow). PIL is a great example of something that can and _should_ be completely broken since it is already 90% broken anyway.
--Noah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130227/f0533e44/attachment.pgp>
More information about the Catalog-SIG
mailing list