[Distutils] new PyPI: a rant from a package maintainer

[Lucas Boppre Niehues]

Thank you for the kind responses.

I hope I haven't offended anybody, and please know that I'm incredibly
grateful for all the sweat and blood that has been poured into these
projects. I'm complaining about the current situation to show the largest
pain points from my perspective. That's also why I'm posting here and not
somewhere more visible.

James, please see this is not just me lashing out to vent. This is the
first time I ever post a rant. I'm pointing out the problems I experienced
in the hopes that the people responsible notice the patterns, and derive
solutions from them. I'm sorry for the flowery language, but be sure that
the original events contained a lot more expletives, and I think people's
reactions are important to prioritization. I've changed development focus
before because someone emailed me complaining about a specific part of a
project.

Donald, thank you very much for the reasoned, helpful and throughout
response. Here's my reply to the most important points:

> The fundamental issue here is trying to find the right balance between
constraining authors so that end users can have a consistent behavior
between packages and giving authors power to best manage their own projects.
> [...]
> Some of this is purposeful as we attempt to rein in some of the more
“random” features that PyPI has grown over time

I'm very glad to hear that. Speaking for myself, I wouldn't mind if PyPI
became an API-only service that hosts immutable packages. Even if it makes
my life a bit harder and I have to re-invent my release process, I would
rather the platform be more solid.


> The ability to upload anything besides sdists, wheels, and eggs was
deprecated and removed. You can read the PEP that removed them at
https://www.python.org/dev/peps/pep-0527/.

That's... interesting. Thank you for the link, this is the first time I'm
seeing it. I really liked the Windows installers, but I understand the need
to slim down the infrastructure. Also, I now see some of my confusion was
because of the invisible "allow legacy file types to be uploaded" flag in
some of the projects but not others.


>> I can't even specify the description of a package, not even during
registration or upload.
> Tell me your package name privately or publicly and I’ll figure out what
went wrong.

https://pypi.python.org/pypi/mouse/0.6.0
https://test.pypi.org/project/mouse/0.6.0

The long description was originally Markdown, and converted to RST by
pandoc. I would 100% understand if this conversion triggered some bug. My
gripe was that one by one my debugging tools failed in confusing ways.


>> I cannot even report the issues. [ ... ] because there's no clear
location to report them.
> This is a problem, and we don’t really have a good solution for them. I
think generally what happens is people just open them on whichever tool
they think is the best fit, and the authors of these tools all know each
other, and if it ends
> up getting filed in the incorrect place, we just redirect people tot he
correct place.

Just my 2 cents, but I often not post a bug report at all for fear of
wasting the wrong person's time. I'll keep this case in mind, but you may
be missing some important reports with this configuration. The
"packaging-problems" repo was almost perfect, but I avoided it due to the
feeling of being abandoned or exclusive for PyPI developers. An explicit
"It's ok to post X, Y and Z bugs here if you are unsure" would have changed
my mind.


> This is a service used by ~everyone in the Python community without even
a single full time person on it.

I'm deeply grateful for the work you and the other contributors have put
here. I see the project is in good hands, if an insufficient number of
them. But this is also an incredibly worrying statement. I work in
security, and I know I'll have nightmares after reading this :(


> When I have generated emails in the past I tend to get a slew of people
berating me for sending them emails about things.
> Particularly for changes like this where there belief is that for most
people, the impact should be minimal, if there is any at all.

That's awful, I'm sorry. Maybe an opt-in system during upload, to appease
both crowds? I know I would set "email_me_important_announcements=True" in
a heartbeat in my setup.py. Also note that people who don't like impact
won't like the changes regardless if you email them or not, though I
understand it's not nice to receive hate-mail.


To be fair this migration is indeed mostly smooth. PyPI.org looks good,
pypi.python.org is still working well (minus one or two deprecated
endpoints leading to 410 gone), my setuptools automatically migrated to the
legacy API, and I have nothing but praise for twine. And I found the use of
HTTP error responses including detailed migration information to be a
clever last-resort attempt at reaching the user. I faced several problems
in my rant, but fixing any one of them would have solved my situation. I'm
sure you guys can get there.

Thank you for your patience and hard work, and I hope PyPI continues being
one of the pillars of the community.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170804/a9266ba9/attachment-0001.html>