<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br></div><div><br>On Feb 5, 2013, at 8:02 AM, Holger Krekel <<a href="mailto:holger.krekel@gmail.com">holger.krekel@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div>On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft <span dir="ltr"><<a href="mailto:donald.stufft@gmail.com" target="_blank">donald.stufft@gmail.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">
<div><span style="color:rgb(160,160,168)">On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:</span></div>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px">
<span><div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:13px;white-space:normal;font-family:Helvetica;word-spacing:0px">
1. Packages should only be installed from the given package indexes.</div><div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:13px;white-space:normal;font-family:Helvetica;word-spacing:0px">
No scraping of websites as at least easy_install/buildout does, no</div><div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:13px;white-space:normal;font-family:Helvetica;word-spacing:0px">
downloading from external download links. A deprecation period for</div><div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:13px;white-space:normal;font-family:Helvetica;word-spacing:0px">
this of a couple of months, to give package authors the chance to</div><div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:13px;white-space:normal;font-family:Helvetica;word-spacing:0px">
upload their packages is probably necessary.</div></span>
</blockquote>
</div><div>
PyPI will need to change for this to happen realistically if I recall. There is a
</div><div>hard limit on how large of a distribution can be uploaded to PyPI and there</div><div>are, if I recall, valid distributions which are larger than that.</div><div><br> </div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div></div><div>Personally I want the installers to only install from PyPI so my suggestion</div><div>if this is something that (the proverbial) we want to do, PyPI should gain</div><div>some notion of a soft limit for distribution upload (to prevent against</div>
<div>DoS) with the ability to increase that size limit for specific projects who</div><div>can file a ticket w/ PyPI to have their limit increased.</div>
<br></blockquote><div><br>Dropping the crawling over external pages needs _much_ more than just a few months deprecation warnings, rather years. There are many packages out there, and it would break people's installations. As a random example, look at <a href="http://pypi.python.org/simple/lockfile/">http://pypi.python.org/simple/lockfile/</a> - it has its last release in 2010 and 74K downloads from the 0.9 download url (going to <a href="http://code.google.com">code.google.com</a>). <br>
<br>I certainly agree, though, that the current client-side crawling is a nuisance and makes for unreliability of installation procedures. I think we should move the crawling to the server side and cache packages. I am currently working on a prototype which does this (and a few other niceties). It allows to keep all installers and packages working nicely, serving all packages from one central place (cached on demand currently but that is a policy issue).<br>
<br>best,<br>holger<br></div></div></div></blockquote><div><br></div><div>Derived from the current pypi code base?</div><div><br></div><br><blockquote type="cite"><div><div class="gmail_quote"><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">_______________________________________________<br>
Catalog-SIG mailing list<br>
<a href="mailto:Catalog-SIG@python.org">Catalog-SIG@python.org</a><br>
<a href="http://mail.python.org/mailman/listinfo/catalog-sig" target="_blank">http://mail.python.org/mailman/listinfo/catalog-sig</a><br>
<br></blockquote></div><br>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Catalog-SIG mailing list</span><br><span><a href="mailto:Catalog-SIG@python.org">Catalog-SIG@python.org</a></span><br><span><a href="http://mail.python.org/mailman/listinfo/catalog-sig">http://mail.python.org/mailman/listinfo/catalog-sig</a></span><br></div></blockquote></body></html>