The Update Framework, integrate into PyPI?
I read the RoadMap (Thank you Marcus Smith) and came across this:
An effort to integrate PyPI with the “The Update Framework” (TUF). This is specified in PEP458
I see a trend to immutable systems everywhere. Updates are a pain. Building new systems is easier. With current hardware and good software it is easier to build new systems instead of updating existing systems. It is like from pets to cattle: - pets: you give them names and care for them (do updates) - cattle: you give them numbers and if they get ill you get rid of them. Maybe I am missing something. But why is there an effort to create "The Update Framework”, and why integrate it with pypi? Regards, Thomas Güttler -- http://www.thomas-guettler.de/
Hi Thomas, It's great you're so enthusiastic about python packaging and distribution, but it might be good to keep in mind that there are a lot of people reading these lists, and answering basic questions can take time away from making important improvements? In this case, a quick google of "the update framework" or skimming of the referenced PEP 458 would have revealed that TUF is totally orthogonal to the kinds of updates that you're worried about -- it's about building a cryptographic framework to let you reliably identify what the latest version of some software is, even if e.g. someone has broken into pypi and tried to add backdoors to the software there, which is important no matter what strategy you then use to deploy those updates. In fact possibly the largest deployment of TUF is the version built into docker's latest release, to help you securely pick a good base image. -n On Nov 4, 2015 12:06 PM, "Thomas Güttler" <guettliml@thomas-guettler.de> wrote:
I read the RoadMap (Thank you Marcus Smith) and came across this:
An effort to integrate PyPI with the “The Update Framework” (TUF). This is specified in PEP458
I see a trend to immutable systems everywhere. Updates are a pain. Building new systems is easier. With current hardware and good software it is easier to build new systems instead of updating existing systems.
It is like from pets to cattle:
- pets: you give them names and care for them (do updates) - cattle: you give them numbers and if they get ill you get rid of them.
Maybe I am missing something. But why is there an effort to create "The Update Framework”, and why integrate it with pypi?
Regards, Thomas Güttler
-- http://www.thomas-guettler.de/ _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
answering basic questions can take time away from making important improvements?
to be fair, distutils-sig is mentioned as a user support list on the "Python Packaging User Guide" a few years back, there was a debate on splitting it between a user and planning list, but no traction there. one concern was that the user list wouldn't have enough experts participating to answer the questions. --Marcus
Am 04.11.2015 um 21:25 schrieb Nathaniel Smith:
Hi Thomas,
It's great you're so enthusiastic about python packaging and distribution, but it might be good to keep in mind that there are a lot of people reading these lists, and answering basic questions can take time away from making important improvements?
Do you know how many developers try to understand the magic of python packaging every day? My guess is that 99% of all new comers get confused by the current docs. Somehow I have the need to speak it out. I have no clue how to improve it. That's why I ask here. If you don't like my question ... sorry they are just a mirror of the current state of the docs. For me the basic docs are more important than the "important improvements". Regards, Thomas Güttler -- http://www.thomas-guettler.de/
On November 5, 2015 at 2:51:46 PM, Thomas Güttler (guettliml@thomas-guettler.de) wrote:
Am 04.11.2015 um 21:25 schrieb Nathaniel Smith:
Hi Thomas,
It's great you're so enthusiastic about python packaging and distribution, but it might be good to keep in mind that there are a lot of people reading these lists, and answering basic questions can take time away from making important improvements?
Do you know how many developers try to understand the magic of python packaging every day?
My guess is that 99% of all new comers get confused by the current docs.
Somehow I have the need to speak it out. I have no clue how to improve it. That's why I ask here.
If you don't like my question ... sorry they are just a mirror of the current state of the docs.
For me the basic docs are more important than the "important improvements".
For what it’s worth the road map is not going to be targeted at beginners. It’s going to be targeted more towards people who are already knowledgable and give them a way to see what’s on the pipeline for improvement. For end users they are likely to never see the words “TUF” or “The Update Framework”, it’ll be an implementation detail. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On 5 November 2015 at 19:51, Thomas Güttler <guettliml@thomas-guettler.de> wrote:
My guess is that 99% of all new comers get confused by the current docs.
My guess (no more or less accurate than yours!) is that very few new users read the docs. Maybe they get confused by the UI of the tools, maybe not. But improving docs they don't read wouldn't help as much as improving the UI. And anyway, the document you asked about is aimed at people wanting to help with developing the packaging tools, *not* at end users.
Somehow I have the need to speak it out. I have no clue how to improve it. That's why I ask here.
If you don't like my question ... sorry they are just a mirror of the current state of the docs.
But you don't ask questions with any goal in mind - you're not saying "I want to do X and I can't find the information I need". You just ask questions about random things, with no explanation of what actual work you are trying to do that the information would help you achieve. (And no, "understand Python's packaging" isn't actual work - "install package X" is, as is "write a PR for pip to do X".)
For me the basic docs are more important than the "important improvements".
Understood. Your opinion is noted. Many people here disagree with your priorities (at least in terms of what they wish to contribute) - although there *are* people working on the tutorial documentation, so your implication that nobody's doing what you want them to is wrong. The tone of your emails seems consistently critical. I'm willing to assume that you're frustrated and wish you could find a way to help, but it's getting hard to remain patient. Please could you try to phrase your questions in future with a bit more thought to the fact that the software you're commenting on was provided free of charge by people working in their spare time. Developer enthusiasm is hard to obtain, and very easy to lose, so needs to be treated with respect. Paul
On Wed, Nov 4, 2015 at 8:00 PM, Thomas Güttler <guettliml@thomas-guettler.de
wrote:
I read the RoadMap (Thank you Marcus Smith) and came across this:
An effort to integrate PyPI with the “The Update Framework” (TUF). This is specified in PEP458
I see a trend to immutable systems everywhere.
Not everywhere. Keep in mind that there are a *lot* of different usecases for packaging/deployment. Not just web app, not just CLI tools, etc... For example, it is common for modern end user applications to use an auto-update feature (e.g. chrome). David
participants (6)
-
David Cournapeau -
Donald Stufft -
Marcus Smith -
Nathaniel Smith -
Paul Moore -
Thomas Güttler