On May 8, 2014, at 12:42 PM, R. David Murray firstname.lastname@example.org wrote:
On Thu, 08 May 2014 11:32:28 -0400, Donald Stufft email@example.com wrote:
On May 8, 2014, at 11:21 AM, R. David Murray firstname.lastname@example.org wrote:
Ah, I understand now.
Your perspective is as someone who is using pip for deployment.
Deployment, or any kind of situation where you want to have a reproducible build. Generally via deployment yes. [...] For Python with pip you can use a requirements.txt file to create a set of dependencies that are pinned to exact versions like:
And pip will (theoretically, our dep solving is real bad ATM) install exactly those versions from your index server. Generally this means PyPI which
OK, this makes sense, then. (I wish perl/cpan had something similar...maybe it does, but I couldn't find it at the time.)
This still leaves the fact that there is a disconnect between the "needs" of two different audiences for PIP: people who deploy things, and everyone else who just uses pip to install stuff.
Yup balancing between the two is something we have to do in every decision we make. When PEP438 was being discussed I did a pretty extensive amount of investigation into what affect this change would have 1. What I found was that:
Because of this it was determined that simply allowing externally hosted files without also allowing externally hosted and unverified files would not actually have a significant impact for the vast bulk of the projects that were not hosted on PyPI.
The second group is going to overwhelm the first group, if it doesn't already.
Generally yes, because not every who uses pip to deploy uses pip to install locally, but most people who use pip to deploy also use pip locally.
And I think that's all the comments I have on this issue :)
Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA