[Distutils] PEP 438, pip and --allow-external (was: "pip: cdecimal an externally hosted file and may be unreliable" from python-dev)

Donald Stufft donald at stufft.io
Sat May 10 16:16:45 CEST 2014 

On May 10, 2014, at 8:24 AM, Paul Moore <p.f.moore at gmail.com> wrote:

> On 10 May 2014 12:57, Nick Coghlan <ncoghlan at gmail.com> wrote:
>> Actually, I expect folks like Stefan & MvL would likely want to be able to
>> preserve the  current "--allow-external" behaviour. The change Donald is
>> suggesting could then just be a matter of renaming the current
>> "--allow-external" to "--allow-safe-external", and making "--allow-external"
>> and " --allow-unverifiable" synonyms.
>> 
>> The error messages would still recommend "--allow-external", since that is
>> likely what would be needed to solve any installation problems related to
>> externally hosted files.
> 
> The thing is, the current --allow-external helps basically no-one. If
> the people who wanted the behaviour preserved switched their packages
> to include hashes, so that they didn't *also* need
> --allow-unverifiable, then keeping both (in some form) would make more
> sense. But at the moment, the *only* people who can justifiably say
> they want --allow-external to be retained are the authors of the
> 26[1][2] verifiable but external packages on PyPI, and that's not a
> big enough group to justify the confusion caused by having two similar
> but subtly different options.

The confusion is *massive* I've tried to explain the difference to many different
people and I'm not sure any of them have ever grok'd what it meant. It got bad
enough I eventually made --allow-unverified imply --allow-external and I
started recommending to people to just use --allow-unverified because it was
simpler and did "the right thing" in basically every case.

It's a common pitfall of OSS software to try and please everyone. Often this
ends up leading to a huge number of flags, options, or preferences. This is
one of the things that have traditionally caused OSS software to have
horrendous UIs. Every preference has a cost [1] and this particular preference
there does not seem to be enough benefit to counterbalance the cost of it.

> 
> Paul
> 
> [1] See Donald's email. "And looking even closer at those, only 0.07%
> (26) of them will have the outcome of ``pip install whatever`` change
> (in other words, the latest version requires external+safe)."
> [2] Apologies if Stefan and MAL are among those authors - it's not
> clear to me if that's the case from the information I have. But even
> if they are, the numbers argument is still pretty compelling.

For what it’s worth argparse is now hosted on PyPI completely[2], so now there
is 25!

[1] http://ometer.com/free-software-ui.html
[2] https://twitter.com/jezdez/status/464861314444451840

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140510/7b4d0f58/attachment.sig>

More information about the Distutils-SIG mailing list