[Distutils] Immutable Files on PyPI

Nick Coghlan ncoghlan at gmail.com
Mon Sep 29 11:50:45 CEST 2014 

On 29 Sep 2014 19:04, "M.-A. Lemburg" <mal at egenix.com> wrote:
>
> Do you seriously want to force package authors to cut a new release
> just because a single uploaded distribution file is broken for
> some reason and then ask all users who have already installed one
> of the non-broken ones to upgrade again, even though they are not
> affected ?

Yes, I do. Silently changing released artefacts is actively user hostile.
It breaks mirroring, it breaks redistribution, it breaks security audits,
and it can even break installation for security conscious users that are
using peep rather than pip.

>
> Please repeat with me: Package authors care for their users :-)

If that's the case, then checking releases on devpi or the PyPI test
instance shouldn't be a problem. I am personally quite open to suggestions
for making such checks easier to automate in a consistent way.

I am thoroughly *against* retaining a general capability to silently
substitute the contents of previously released files with a different
payload solely to handle the case of packaging errors that aren't otherwise
severe enough to warrant bumping the version number - if they're that
insignificant that users that installed the "broken" one don't need to
update, then there doesn't seem to be any urgency in getting the fix
published at all, so the package author may even decide to wait until their
next release, rather than pushing out an immediate fix.

Regards,
Nick.

>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source  (#1, Sep 29 2014)
> >>> Python Projects, Consulting and Support ...   http://www.egenix.com/
> >>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
> >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> ________________________________________________________________________
> 2014-09-30: Python Meeting Duesseldorf ...                      tomorrow
>
> ::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
>
>    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>            Registered at Amtsgericht Duesseldorf: HRB 46611
>                http://www.egenix.com/company/contact/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140929/2918f97c/attachment.html>

More information about the Distutils-SIG mailing list