[Distutils] Immutable Files on PyPI
Robert Collins
robertc at robertcollins.net
Sun Sep 28 23:51:13 CEST 2014
On 29 September 2014 10:36, M.-A. Lemburg <mal at egenix.com> wrote:
> -1.
>
> It does happen that files need to be reuploaded because of a bug
> in the release process and how people manage their code is really
> *their* business, not that of PyPI.
>
> FWIW, I am getting increasingly annoyed how PyPI and pip try to dictate
> the way package authors are supposed to build, manage and host their
> Python packages and release process. Can we please stop this ?
PyPI is mirrored by many people, most hopefully using bandersnatch. If
you change the contents of a release, that will usually break someone
somewhere. Places I've seen it break:
BSD ports trees [sha1sum no longer matches]
Dpkg and rpm source builds [content no longer matches upstream,
doesn't break hash because those projects cache the source code
themselves]
Non-bandersnatch mirrors (such as devpi, or pypi-mirror) which assume
files are immutable and don't cross-check once a file is successfully
downloaded.
PEP-440 provides the postN version suffix *specifically* to allow folk
to fix a release without running into these issues. Is that something
you can use?
I don't see the work being done on PyPI as dictating how code is
managed: you can delete things, you can upload new things. What its
doing with this specific change is enforcing immutability of *public
artifacts* which most of the software ecosystem already depends on. +1
from ,e.
-Rob
--
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud
More information about the Distutils-SIG
mailing list