On May 9, 2014, at 7:55 AM, Paul Moore firstname.lastname@example.org wrote:
On 9 May 2014 12:44, Donald Stufft email@example.com wrote:
We still wouldn't be forcing anyone to upload things to PyPI. We are, however, discouraging people from not hosting on PyPI and providing incentives to doing that.
But you're doing so by inflicting pain on people using pip to install those packages. Those users complain about pip, not about the packages. Better to directly impact the package maintainers, rather than their users (who are innocent victims). Better still of course to encourage people to improve things, not to punish them for not doing so.
We can’t directly impact the package maintainers and the vast bulk of people who have had a problem who have complained about it to pip also need to add the —allow-unverifiable flag and would not simply be able to be fixed by allowing safely externally hosted files.
Looking at the numbers and what packages are hosted externally, allowing safely externally hosted files would have practically no benefit to pip’s end users. The only case that I can see with a quick scan would be it would allow the latest version of argparse.
TBH I think the biggest source of confusion reduction would be to remove the “safely externally hosted’ category all together and just make it hosted on PyPI -> Install by default, hosted off PyPI -> requires a per package flag. However I’m sure the vocal minority would have a problem with that.
I think it's
important to point out that one of the driving factors that caused
me to finally push for changes and what lead to PEP438 being created was that
Mercurial's external hosted was being extremely flaky. I can't remember the
exact details but I want to say that over the span of a week or two I was
getting massive numbers of users complaining that
pip install Mercurial
was suddenly failing. This isn't to knock on the Mercurial folks or anything
but to simply point out that these problems aren't things that just happen to
(under|un)maintained software nor are they hypothetical. This PEP was born of
the frustration that was being relayed to me by end users of PyPI/pip.
So now "pip install Mercurial" always fails? And adding a flag allows it to work as well as before, but no better? How did that fix the issue? Seriously - I'm missing something here.
No, This caused Mercurial to upload their packages to PyPI.
Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA