On 08.05.2014 23:22, Donald Stufft wrote:
On a personal note, I'm uncomfortable with the way this change is perceived as a case of pip enforcing a behaviour that the pip developers feel should be required. I actually don't like this change particularly. So having pip implement the behaviour required by that PEP is to me simply a case of compliance with the agreed standard. But now, as a pip developer, being held responsible for the resulting user pain, and being expected to defend it, does not make me happy.
I think the pain is being overrepresented and the positives are being ignored. The problem is the benefits of this PEP are much like the benefits of TLS too. For the vast majority of people they don’t notice anything different except installing things is faster and more reliable. They don’t attribute that to the PEP or this decision, they just internalize it as the new norm. However the people who this does affect will seek out why it broke and raise an issue citing that thing specifically. This creates a perception of lots of pain for no gain when the reality is not that.
Donald: I don't think anyone is arguing that hosting packages on PyPI is a bad thing and PyPI as a service has gotten a lot better than it was a few years ago.
However, I find it troubling that we as Python developers are forcing the whole Python world to put their code into PyPI.
There are plenty good reasons not to do this, and sometimes it's even impossible if you want to stay legal (see the PEP for details).
Accordingly, we should respect those reasons make it possible for Python packages to live elsewhere, without having our tools put those packages into a bad light or making it harder for Python users to install such packages than needed.
With the checksum uploaded to PyPI, the only argument against fetching packages from other places on the Internet is reliability, not security.
PyPI is not the only reliable file hosting system on the Internet, so this argument is rather weak.
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source (#1, May 09 2014)
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/