On 23 February 2017 at 18:53, Paul Moore <p.f.moore@gmail.com> wrote:
On 23 February 2017 at 08:44, Nick Coghlan <ncoghlan@gmail.com> wrote:
> That gets us back into the world of defining what the various package types
> mean, and I really don't want to go there :)

And yet I still don't understand what's wrong with "application",
"library", and "metapackage" (the latter saying to me "complex thing
that I don't need to understand"). Those terms are clear enough -
after all, they are precisely the ones we've always used when debating
"should you pin or not"?

Sure, there's a level of judgement involved - but it's precisely the
*same* judgement as we're asking authors to make when asking"should I
pin", just using the underlying distinction directly.

Thinking about it further, I may be OK with that, especially since we can point to concrete examples.

  component: a library or framework used to build Python applications. Users will mainly interact with the component via a Python API. Examples: requests, numpy, pytz
  application: an installable client application or web service. Users will mainly interact with the service via either the command line, a GUI, or a network interface. Examples: ckan (network), ansible (cli), spyder (GUI)
  metapackage: a package that collects specific versions of other components into a single installable group Example: PyObjC

And then we'd note in the spec that public index servers SHOULD warn when components use pinned dependencies, while other tools MAY warn about that case.

Going down that path would also end up addressing this old RFE for the packaging user guide: https://github.com/pypa/python-packaging-user-guide/issues/100
 
> Instead, I'm thinking in terms of a purely capability based field:
> "allow_pinned_dependencies", with the default being "False", but actually
> checking the field also only being a SHOULD for public index servers and a
> MAY for everything else.

How would the user see this? As a magic flag they have to set to "yes"
so that they can pin dependencies? Because if that's the situation,
I'd imagine a lot of authors just cargo-culting "add this flag to get
my package to upload" without actually thinking about the
implications. (They'll search Stack Overflow for the error message, so
putting what it's for in the docs won't help...)

Pre-answering questions on SO can work incredibly well, though :)

Cheers,
Nick.

--
Nick Coghlan   |   ncoghlan@gmail.com   |   Brisbane, Australia