On Oct 14, 2015 1:55 PM, "Glyph Lefkowitz" <glyph@twistedmatrix.com> wrote:
>> On Oct 14, 2015, at 10:36 AM, Nathaniel Smith <njs@pobox.com> wrote:
>> My feeling is that pypi is correct to disallow the mutation of releases once they become public, but that the ergonomics around this could probably be improved :-). A more general solution that might be nice to have Someday would be if you could upload a release in one step, and then get a private link to poke at what was uploaded and make sure it looks correct, before making it public in a second step.
> IMHO it would be really neat if 'pip' could authenticate to PyPI, and the authentication could affect package visibility, so that you could end-to-end test 'pip install foo' and ensure that you get what you expect before pushing the go-live switch.

The slick way to do this would be to provide a private index URL that gives you a view of what pypi would look like after your release goes live, and could be used like

pip install --index-url https://pypi.python.org/tmp/foo/acd1538afe267/ foo

That way you skip all the issues of adding an authentication system to pip, plus get a URL that you can pass around to other people ("hey #twisted, can someone who's on Windows test the new release? Just type: ...")

You'd want to expire these after some time to prevent them being abused as private package indices for proprietary software, but that's easy enough.

@Donald: is there somewhere we should be filing these warehouse wish list things so they don't get lost? :-)