[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI

Andreas Jung lists at zopyx.com
Thu Jun 17 06:22:32 CEST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

I propose a policy change for packages registered with PyPI:

 - packages registered on PyPI have at least one release

 - one release of registered package on PyPI _must_ contain
   a valid source code distribution (sdist)

 - packages registered on PyPI without releases or without
   source code release are subject to be removed after N days
   after the day of registration

Why?

Any package registered on PyPI is possibly crucial to any kind of
development and deployment.

Packages hosted on external servers (referenced through a download_url)
are subject to come and go - packages once released should be available
at any time from a well-known location (PyPI). Dependencies on the
availability of external downloads servers other than PyPI are hardly
acceptable for real-world development and deployments.

As an example: the Plone CMS buildouts depend on python-openid.
This package is registered with PyPI

http://pypi.python.org/pypi/python-openid

but references to

http://openidenabled.com/files/python-openid/packages/python-openid-2.2.4.tar.gz

For whatever reason the download URL is no longer working. In fact:
openidenabled.com now points to http://www.janrain.com.

Other reasons for disappearing package in the past:

 - network or server outages of external servers
 - users changed their organization and the organization removed
   content of their former employees

PyPI is a valuable and crucial resource for Python development.
It must be kept up-to-date and consistent.

I don't care about the arguments that were made in the past against
stronger rules ("openness" etc.).

There are a lot of Python programmers around that are not Python geeks
as most of us are and they just become pissed of when packages come and
go or are not in the place where one would expect them.

PyPI is a community resource - but community does not mean anarchy where
everyone should be able to upload its package crap without looking left
and right and having the community and its needs in mind.

PyPI must become a stable package index. Everything registered with PyPI
must be available at any time (mirrors, distributing PyPI in the cloud...).

Andreas

- -- 
ZOPYX Limited           | zopyx group
Charlottenstr. 37/1     | The full-service network for Zope & Plone
D-72070 Tübingen        | Produce & Publish
www.zopyx.com           | www.produce-and-publish.com
- ------------------------------------------------------------------------
E-Publishing, Python, Zope & Plone development, Consulting


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwZowgACgkQCJIWIbr9KYyclQCglMaIFnObClOn3sPfwBWbnV1w
YboAoL8OSErCHFi0nXD4tbF8VnYgbc/i
=3m/N
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lists.vcf
Type: text/x-vcard
Size: 316 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20100617/060ff782/attachment-0001.vcf>

More information about the Catalog-SIG mailing list