On 31 August 2015 at 20:59, Wichert Akkerman <wichert@wiggy.net> wrote:
Sure. My knowledge of rpm is 20 years out of date, so I am going to focus the deb/dpkg/apt world only.
For the purposes of this discussion, we can consider the two ecosystems essentially equivalent. There are differences around what's builtin and what's a plugin, but the general principles are the same: * default repos are defined by each distro, not by the tool developers * source repos and binary repos are separate from each other * users can add additional repos of both kinds via config files * config files can also set relative priorities between repos That last one is the main defence against malicious repos - if you set your distro repos to a high priority, then third party repos can't override distro packages, but if you set a particular third party repo to a high priority then it can override *anything*, not just the packages you're expecting it to replace. The key *differences* that are relevant to the current discussion are: * PyPA are the maintainers of both the default repo *and* the installation tools * we don't currently have any kind of repo priority mechanism This is why I think it's important to be clear that we *want* to improve the off-PyPI hosting experience, as that's something we consider reasonable for people to want to do, but it's going to take time and development effort. The question is thus whether it makes sense to delay significant improvements for the common case (i.e. hosting on PyPI), while we work on handling the minority case, and I don't believe it does. It *may* be worth hacking in special case handling for the packages already hosted externally, but we can do that as exactly that (i.e. a special case providing a legacy bridging mechanism until a better solution is available), rather than as an indefinitely supported feature. Regards, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia