[Distutils] Closing the Delete File + Re-upload File Loophole.
Ian Cordasco
graffatcolmingov at gmail.com
Sat Jan 24 20:06:07 CET 2015
On Sat, Jan 24, 2015 at 11:38 AM, Donald Stufft <donald at stufft.io> wrote:
>
> On Jan 24, 2015, at 12:37 PM, John Anderson <sontek at gmail.com> wrote:
>
>
>
> On Saturday, January 24, 2015, Donald Stufft <donald at stufft.io> wrote:
>>
>> I've pushed changes to PyPI where it is no longer possible to reuse a
>> filename
>> and attempting to do it will give an 400 error that says:
>>
>> This filename has previously been used, you should use a different
>> version.
>>
>> This does NOT prevent authors from being allowed to delete files from
>> PyPI,
>> however if a file is deleted from PyPI it cannot be re-uploaded again.
>> This
>> means that if you upload say foobar-1.0.tar.gz, and your 1.0 has a mistake
>> in
>> it then you *must* issue a new release to correct it.
>>
>> ---
>> Donald Stufft
>> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>>
>
> My only concern is that there is no reliable way to test that your README
> will be parsed correctly. Is there a timeline for switch it to use
> https://github.com/pypa/readme?
>
> I would say majority of the time I do a release of the same version it's
> because of the fragile rst parsing.
>
> If I have to run the risk of bumping versions just to fix a valid
> restructured text document to fit pypi parsing it'll make releasing a very
> stressful experience.
>
>
> You can re-run register as many times as you want which is all you need to
> adjust the README.
>
> ---
> Donald Stufft
> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
.post{N} releases are also a good way of fixing this in the package
(assuming you want the most current and correct version of the README
to be what the user downloads). The .post{N} part of PEP440 is
semantically for build errors in a package where no other changes to
the package have been made. I think this qualifies as a use case.
More information about the Distutils-SIG
mailing list