[Catalog-sig] Deprecate External Links

PJ Eby pje at telecommunity.com
Wed Feb 27 22:31:48 CET 2013 

On Wed, Feb 27, 2013 at 4:04 PM, Lennart Regebro <regebro at gmail.com> wrote:
> On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor <mordred at inaugust.com> wrote:
>>> But wouldn't this only be a change in pip/easy_install, not PyPI
>>> itself? I suppose you could explicitly break the external links by
>>> having them point to nothing if you are worried about the security or
>>> if it's some performance issue (that would indeed be a bad
>>> compatibility break, in case people are using those for other
>>> purposes).  Otherwise, if it's a problem, then just use the old
>>> version of pip.
>>
>> If we don't remove the feature from pypi itself
>
> It isn't a feature of PyPI. PyPI doesn't require you to upload the
> files to PyPI. For that reason, easy_install and PIP will scrape
> external sites to be able to download the files.
>
> What we should do is agree that this should stop,

So far, I don't think anybody's talking to the right "we" for stopping
it.  It's the tools that control this, not PyPI.  (PyPI can't actually
stop the tools from using this information without also making itself
a lot less useful to *humans* at the same time.)

As far as my personal position on the matter, I think that it's
reasonable to deprecate the scraping of home page and download links.
As somebody pointed out, expired domains are a potentially nasty
problem there.

OTOH, I currently make development snapshots of setuptools and other
projects available by dumping them in a directory that's used as an
external download URL.  Replacing that would be a PITA because PyPI
only lets you upload and register new releases from distutils' command
line.  Basically, I'd need to use a download link that pointed to a
"latest" URL that redirected to the final download.

Anyway, I'm not seeing much discussion here about how to help authors
make changes to their release processes.  Note that many popular and
long-lived projects (pywin32, PIL, etc.) have similar issues.  (Not to
mention the newer projects that host directly from revision control.)

Given that easy_install was deliberately designed so that those guys
would *not* need to change their hosting strategies to get automated
downloads, I'd like to see more talk about how we're going to help
people change their releasing and hosting strategies.

More information about the Catalog-SIG mailing list