On Sep 29, 2014, at 6:01 AM, Nick Coghlan <ncoghlan@gmail.com> wrote:

On 29 Sep 2014 19:50, "Nick Coghlan" <ncoghlan@gmail.com> wrote:
>
>
> On 29 Sep 2014 19:04, "M.-A. Lemburg" <mal@egenix.com> wrote:
> >
> > Do you seriously want to force package authors to cut a new release
> > just because a single uploaded distribution file is broken for
> > some reason and then ask all users who have already installed one
> > of the non-broken ones to upgrade again, even though they are not
> > affected ?
>
> Yes, I do. Silently changing released artefacts is actively user hostile. It breaks mirroring, it breaks redistribution, it breaks security audits, and it can even break installation for security conscious users that are using peep rather than pip.

One caveat on this: it would potentially be convenient to have a "release" field in the wheel naming scheme, and adopt a similar approach for other binary formats like Windows installers, specifically to allow those to be updated without needing to do a full source version update.

It's the silent substitution of file contents I have a fundamental problem with, not the notion of being able to publish an updated platform specific build artefact without having to bump the source release version.

Wheel files already include the idea of a build number baked into the filename. That would be

a different filename and thus would be allowed to be uploaded even if you deleted the original

Wheel. Is there something about that which wouldn’t work or did it just slip your mind?