<html><head></head><body bgcolor="#FFFFFF"><div><span class="Apple-style-span" style>On Jul 5, 2012, at 1:09 AM, Donald Stufft <<a href="mailto:donald.stufft@gmail.com">donald.stufft@gmail.com</a>> wrote:</span><br></div>
<div><br></div><div><span></span></div><blockquote type="cite"><div>
<div><span style="color:rgb(160,160,168)">On Thursday, July 5, 2012 at 2:44 AM, Stefan Krah wrote:</span></div><blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px">
<span><div><div><div>And many people have been pleasantly surprised by external packages.</div></div></div></span>
</blockquote>
<div>
I can't imagine a situation where i'd want an external package over one
</div><div>hosted on PyPI. Out of curiosity what benefits are those people</div><div>seeing from them? The only thing I can think of is for projects</div><div>where PyPI doesn't allow them to upload because their distributions</div>
<div>are too large (PySide I think?). </div></div></blockquote><div><br></div>I think the other potential reason Carl mentioned was legal reasons. I have no idea what those might be, though. <div><br></div><div>Personally, if I had to guess, most packages that aren't uploaded to PyPI are simply due to laziness of the maintainer, coupled with the fact that because of the searching algorithms in pip/easy_install, they really don't have to. IMHO, if maintainers want their packages to be pip installable, then it's quite reasonable to expect them to keep PyPI up to date.<div>
<br></div><div><span class="Apple-style-span" style>And note that part of my suggestion is to allow direct download links, so if uploading is a problem for whatever reason, it should not hinder access.</span><br><div><br>
<blockquote type="cite"><div><div>Otherwise all the other properties</div><div>of external packages lead themselves to surprising behavior, higher</div><div>likelihood that any particular set of requirements will not be available,</div>
<div>and increase the surface for someone to compromise and exploit people</div><div>installing via pip/easy_install via PyPI.</div></div></blockquote><div><br></div>Thanks, I think this summarizes the situation nicely.</div>
<div><br></div><div>By the way, I'm curious just how many packages a change in policy would affect. How many packages don't have uploads? How many packages is pip installing a version newer than the most recent one listed on PyPI? My guess is that the numbers would be quite high.</div>
<div><br></div><div>Aaron Meurer<br><div><br></div><blockquote type="cite"><div>
</div><div><span>_______________________________________________</span><br><span>Catalog-SIG mailing list</span><br><span><a href="mailto:Catalog-SIG@python.org">Catalog-SIG@python.org</a></span><br><span><a href="http://mail.python.org/mailman/listinfo/catalog-sig">http://mail.python.org/mailman/listinfo/catalog-sig</a></span><br>
</div></blockquote></div></div></div></body></html>