[Pythonmac-SIG] Package Manager idea, adding a URL scheme

Bob Ippolito bob at redivi.com
Thu Oct 9 15:35:43 EDT 2003 

On Thursday, Oct 9, 2003, at 15:06 America/New_York, Jack Jansen wrote:

>
> On 9-okt-03, at 20:04, Eric Nieuwland wrote:
>>> I don't think so: I think MD5 is good enough here. The scapegoat
>>> downloaded a specific source distribution and built it without
>>> problems. S/he gets the md5 sum of that distribution, puts the URL 
>>> and
>>> md5sum in the database and can be sure that whatever the end user
>>> downloads is correct.
>>
>> OK. I assumed that the scapegoat would like to know for sure where the
>> code came from. Otherwise, s/he has to either trust the source and 
>> thus
>> the developer or review and test every package.
>
> It is *definitely* the intention that the scapegoat reviews and tests 
> every
> package! That's why s/he is called the scapegoat (and not the "package
> collector" or some such): if something is wrong with a package, or if 
> there
> is unforeseen interaction among packages you're free to blame the 
> scapegoat.
>
> The situation is the same as my role for the MacPython core 
> distribution:
> if there's something wrong you can blame me.
>
> Not that this makes any significant difference in the open source 
> world:
> you can blame me all you like but you can't sue me. But the intention 
> is
> indeed that the scapegoat tests the packages to approximately the same 
> level
> as I test MacPython distributions.
>
> But: this is my view on PackMan (have a small number of reasonably 
> well tested
> packages), Bob's view is pretty different: he uses it mainly to 
> distribute
> many packages in pre-compiled form, making them available to people 
> without
> the developer tools, but without much testing done (if I understand 
> correctly).

I do plenty of testing on a few of the packages, but some of them I 
don't know how to or have time to test thoroughly.  If someone tells me 
that a package doesn't work, I'll fix it.  You're right though, I'm 
more concerned with giving people an easy out to installing packages 
than to give them an easy out that works with 99% certainty.  The 
quality of package I'm giving them is certainly no lower than if they 
had compiled it themselves with normal options, especially for the 
packages that I have to modify in some way or compile with exotic 
options (i.e. static libtiff, libjpeg, etc in PIL, vecLib support in 
Numeric, etc.).  I suppose that's why I'm running the 
experimental/unofficial database :)

Perhaps we should have a system where users of the packages can give a 
particular package in my repository a vote of confidence, which you can 
review and use to eventually migrate the package into the official 
stable repository.  The same system should also be used to report bugs 
with packages, and to request new packages.

By the way, with regard to the include statement in the plist, if I 
include your database but have a newer version of a particular package, 
do both versions show up or just the newest?

-bob

More information about the Pythonmac-SIG mailing list