[Catalog-sig] Use user-specific site-packages by default?
Jesse Noller
jnoller at gmail.com
Tue Feb 5 22:04:40 CET 2013
On Tuesday, February 5, 2013 at 4:02 PM, Terry Reedy wrote:
> On 2/5/2013 8:02 AM, Jesse Noller wrote:
> >
> >
> > On Feb 5, 2013, at 7:51 AM, Donald Stufft <donald.stufft at gmail.com (mailto:donald.stufft at gmail.com)
> > <mailto:donald.stufft at gmail.com>> wrote:
> >
> > > On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
> > > > 1. Packages should only be installed from the given package indexes.
> > > > No scraping of websites as at least easy_install/buildout does, no
> > > > downloading from external download links. A deprecation period for
> > > > this of a couple of months, to give package authors the chance to
> > > > upload their packages is probably necessary.
> > >
> > >
> > > PyPI will need to change for this to happen realistically if I recall.
> > > There is a
> > > hard limit on how large of a distribution can be uploaded to PyPI and
> > > there
> > > are, if I recall, valid distributions which are larger than that.
> > >
> > > Personally I want the installers to only install from PyPI so my
> > > suggestion
> > > if this is something that (the proverbial) we want to do, PyPI should gain
> > > some notion of a soft limit for distribution upload (to prevent against
> > > DoS) with the ability to increase that size limit for specific
> > > projects who
> > > can file a ticket w/ PyPI to have their limit increased.
> >
> >
> >
> > I strongly concur; however this does mean I will need to work with the
> > board to procure additional storage or we will need to take the monthly
> > storage hit and push it to s3 or another CSP.
>
>
>
> It seems to me that only downloading from PyPI is as extreme as
> downloading from anywhere and everywhere. Why is downloading form
> code.google.com (http://code.google.com), for instance, worse than from pypi.python.org (http://pypi.python.org)? I
> suspect their uptime and security is *better* than that of ours. Dittle
> for SourceForge. Why should PSF, with limited resources, pay for what
> Google, for instance, with its massive resources, gives out for free? I
> would rather the money went, for instance, to pay someone to review and
> push patches that no one will look at for free. Or pay someone to work
> on some of the hard security issues that are not being solved as fast as
> they should be otherwise.
Find that person and we'll pay them too.
More information about the Catalog-SIG
mailing list