[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI

Thu Jun 17 17:11:01 CEST 2010

On Thu, 17 Jun 2010 04:11:19 pm Christian Zagrodnick wrote:
> On 2010-06-17 06:22:32 +0200, Andreas Jung <lists at zopyx.com> said:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi there,
> >
> > I propose a policy change for packages registered with PyPI:
> >
> >  - packages registered on PyPI have at least one release
> > 
> >  - one release of registered package on PyPI _must_ contain
> >    a valid source code distribution (sdist)

-1000

Please take your religious wars elsewhere. Python might be open source 
software, but there is no requirement that only open source software 
can be written in Python, and PyPI is for all Python developers, not 
just FOSS developers.

> >  - packages registered on PyPI without releases or without
> >    source code release are subject to be removed after N days
> >    after the day of registration
> >
> > Why?
> >
> > Any package registered on PyPI is possibly crucial to any kind of
> > development and deployment.

Just because it's crucial to you doesn't mean you own it and can dictate 
what the package owner does with it.

The important question here is, who controls the package? Is it the 
package owner, or PyPI? Your proposal is to give control over the 
package to PyPI rather than the owner and strip the developer of 
control in return for indexing the package on PyPI. Not only is that in 
my opinion rude and unethical, but I expect it will lead to a lot of 
authors abandoning PyPI. Instead of being the one obvious place to 
index Python packages, this proposal will fragment the package space. 
Not where the packages are hosted, but where they are indexed.

> > Packages hosted on external servers (referenced through a
> > download_url) are subject to come and go - packages once released
> > should be available at any time from a well-known location (PyPI).

And packages that are crucial to development should be bug-free, so 
perhaps we should ban packages that contain bugs too?

> > Dependencies on the availability of external downloads servers
> > other than PyPI are hardly acceptable for real-world development
> > and deployments.
>
> I second that. External download URLs are really a pain.

Then don't use them. Problem solved.

> I don't think that removing packages that way would really solve the
> problem. I think the core is:
>
> * Require the package to have a source dist *on* PyPI
> * Forbid removing any source package.

You would FORBID the package author from removing his or her own 
package? Whiskey-Tango-Foxtrot.

There are all sorts of reasons, some good, some bad, why an author might 
decide to remove his package from public distribution. What gives you 
the right to decide that he should be prohibited from doing so?

-- 
Steven D'Aprano