[Distutils] Immutable Files on PyPI
Nick Coghlan
ncoghlan at gmail.com
Mon Sep 29 12:01:36 CEST 2014
On 29 Sep 2014 19:50, "Nick Coghlan" <ncoghlan at gmail.com> wrote:
>
>
> On 29 Sep 2014 19:04, "M.-A. Lemburg" <mal at egenix.com> wrote:
> >
> > Do you seriously want to force package authors to cut a new release
> > just because a single uploaded distribution file is broken for
> > some reason and then ask all users who have already installed one
> > of the non-broken ones to upgrade again, even though they are not
> > affected ?
>
> Yes, I do. Silently changing released artefacts is actively user hostile.
It breaks mirroring, it breaks redistribution, it breaks security audits,
and it can even break installation for security conscious users that are
using peep rather than pip.
One caveat on this: it would potentially be convenient to have a "release"
field in the wheel naming scheme, and adopt a similar approach for other
binary formats like Windows installers, specifically to allow those to be
updated without needing to do a full source version update.
It's the silent substitution of file contents I have a fundamental problem
with, not the notion of being able to publish an updated platform specific
build artefact without having to bump the source release version.
Cheers,
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140929/b3bf976f/attachment.html>
More information about the Distutils-SIG
mailing list