[Catalog-sig] Deprecate External Links

Wed Feb 27 22:37:24 CET 2013

On Feb 27, 2013, at 1:31 PM, PJ Eby wrote:

> On Wed, Feb 27, 2013 at 4:04 PM, Lennart Regebro <regebro at gmail.com> wrote:
>> On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor <mordred at inaugust.com> wrote:
>>>> But wouldn't this only be a change in pip/easy_install, not PyPI
>>>> itself? I suppose you could explicitly break the external links by
>>>> having them point to nothing if you are worried about the security or
>>>> if it's some performance issue (that would indeed be a bad
>>>> compatibility break, in case people are using those for other
>>>> purposes).  Otherwise, if it's a problem, then just use the old
>>>> version of pip.
>>> 
>>> If we don't remove the feature from pypi itself
>> 
>> It isn't a feature of PyPI. PyPI doesn't require you to upload the
>> files to PyPI. For that reason, easy_install and PIP will scrape
>> external sites to be able to download the files.
>> 
>> What we should do is agree that this should stop,
> 
> So far, I don't think anybody's talking to the right "we" for stopping
> it.  It's the tools that control this, not PyPI.  (PyPI can't actually
> stop the tools from using this information without also making itself
> a lot less useful to *humans* at the same time.)
> 
> As far as my personal position on the matter, I think that it's
> reasonable to deprecate the scraping of home page and download links.
> As somebody pointed out, expired domains are a potentially nasty
> problem there.
> 
> OTOH, I currently make development snapshots of setuptools and other
> projects available by dumping them in a directory that's used as an
> external download URL.  Replacing that would be a PITA because PyPI
> only lets you upload and register new releases from distutils' command
> line.  Basically, I'd need to use a download link that pointed to a
> "latest" URL that redirected to the final download.
> 
> Anyway, I'm not seeing much discussion here about how to help authors
> make changes to their release processes.  Note that many popular and
> long-lived projects (pywin32, PIL, etc.) have similar issues.  (Not to
> mention the newer projects that host directly from revision control.)
> 
> Given that easy_install was deliberately designed so that those guys
> would *not* need to change their hosting strategies to get automated
> downloads, I'd like to see more talk about how we're going to help
> people change their releasing and hosting strategies.

To be honest, either they will adapt or replacements will arise (see also: Pillow). PIL is a great example of something that can and _should_ be completely broken since it is already 90% broken anyway.

--Noah

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130227/f0533e44/attachment.pgp>