(Fixed quoting indent + some own comments) On Mon, Sep 29, 2014 at 11:04 +0000, Donald Stufft wrote:
On Sep 29, 2014, at 6:01 AM, Nick Coghlan
mailto:ncoghlan@gmail.com> wrote: On 29 Sep 2014 19:50, "Nick Coghlan"
mailto:ncoghlan@gmail.com> wrote: On 29 Sep 2014 19:04, "M.-A. Lemburg"
mailto:mal@egenix.com> wrote: Do you seriously want to force package authors to cut a new release just because a single uploaded distribution file is broken for some reason and then ask all users who have already installed one of the non-broken ones to upgrade again, even though they are not affected ?
Yes, I do. Silently changing released artefacts is actively user hostile. It breaks mirroring, it breaks redistribution, it breaks security audits, and it can even break installation for security conscious users that are using peep rather than pip.
One caveat on this: it would potentially be convenient to have a "release" field in the wheel naming scheme, and adopt a similar approach for other binary formats like Windows installers, specifically to allow those to be updated without needing to do a full source version update.
It's the silent substitution of file contents I have a fundamental problem with, not the notion of being able to publish an updated platform specific build artefact without having to bump the source release version.
Wheel files already include the idea of a build number baked into the filename. That would be a different filename and thus would be allowed to be uploaded even if you deleted the original Wheel. Is there something about that which wouldn’t work or did it just slip your mind?
FWIW I'd prefer to go with the "each filename maps to one binary content or was deleted" guarantee irrespective if it's a wheel, tar, egg or zip file. Besides, the cited mirroring/distribution simplifications wouldn't otherwise materialize i guess. holger ---
Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig