Yearly PyPI breakage
Hello, Could someone enlighten me which hoops I have to jump through this year in order to keep pip downloads working? Collecting cdecimal Could not find a version that satisfies the requirement cdecimal (from versions: ) No matching distribution found for cdecimal You are using pip version 7.1.2, however version 8.1.1 is available. You should consider upgrading via the 'pip install --upgrade pip' command. If this continues, I'm going to release a premium version that's 50% faster and only available from bytereef.org or Anaconda. Stefan Krah
Why don’t you just *host* the files on PyPI?
On May 3, 2016, at 12:06 PM, Stefan Krah <stefan@bytereef.org> wrote:
Hello,
Could someone enlighten me which hoops I have to jump through this year in order to keep pip downloads working?
Collecting cdecimal Could not find a version that satisfies the requirement cdecimal (from versions: ) No matching distribution found for cdecimal You are using pip version 7.1.2, however version 8.1.1 is available. You should consider upgrading via the 'pip install --upgrade pip' command.
If this continues, I'm going to release a premium version that's 50% faster and only available from bytereef.org or Anaconda.
Stefan Krah
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/lukasz%40langa.pl
On Tue, 3 May 2016 at 12:06 Stefan Krah <stefan@bytereef.org> wrote:
Hello,
Could someone enlighten me which hoops I have to jump through this year in order to keep pip downloads working?
Collecting cdecimal Could not find a version that satisfies the requirement cdecimal (from versions: ) No matching distribution found for cdecimal You are using pip version 7.1.2, however version 8.1.1 is available. You should consider upgrading via the 'pip install --upgrade pip' command.
The distutils-sig mailing is the best place to try and get help.
On May 3, 2016, at 3:06 PM, Stefan Krah <stefan@bytereef.org> wrote:
Hello,
Could someone enlighten me which hoops I have to jump through this year in order to keep pip downloads working?
This is off topic for python-dev, but https://www.python.org/dev/peps/pep-0470/#i-can-t-host-my-project-on-pypi-be... . ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Tue, May 3, 2016 at 12:06 PM, Stefan Krah <stefan@bytereef.org> wrote:
Hello,
Could someone enlighten me which hoops I have to jump through this year in order to keep pip downloads working?
Collecting cdecimal Could not find a version that satisfies the requirement cdecimal (from versions: ) No matching distribution found for cdecimal You are using pip version 7.1.2, however version 8.1.1 is available. You should consider upgrading via the 'pip install --upgrade pip' command.
If this continues, I'm going to release a premium version that's 50% faster and only available from bytereef.org or Anaconda.
There's no point in making threats -- you're threatening the air. PyPI is maintained by one overloaded developer (Donald Stufft, sponsored by HPE as part of their openstack work) with help from a few overloaded, burned-out volunteers. Everyone wants PyPI to be awesome and useful; your frustration is totally understandable, and lots of us share it. But the limitation here is that we have ~one person running a website that serves ~100,000,000 requests/day, and running as fast as they can just to keep things from breaking more than they already have. As long as that's the case it doesn't matter what "should" happen, there's no-one to do it. -n -- Nathaniel J. Smith -- https://vorpus.org
Nathaniel Smith <njs <at> pobox.com> writes:
If this continues, I'm going to release a premium version that's 50% faster and only available from bytereef.org or Anaconda.
There's no point in making threats -- you're threatening the air. PyPI is maintained by one overloaded developer (Donald Stufft, sponsored by HPE as part of their openstack work) with help from a few overloaded, burned-out volunteers. Everyone wants PyPI to be awesome and useful; your frustration is totally understandable, and lots of us share it. But the limitation here is that we have ~one person running a website that serves ~100,000,000 requests/day, and running as fast as they can just to keep things from breaking more than they already have. As long as that's the case it doesn't matter what "should" happen, there's no-one to do it.
This wasn't so much of a threat, it was resignation. At some point it seems like the rational thing to do. I don't fully understand your explanation. Judging by the link that Donald posted (thanks!) it seems that PEP 470 introduced extra work for him that would not have been present had things been left in place. Also, I did not get any notification and now that I searched for PEP 470 it seems that it wasn't announced here: https://mail.python.org/pipermail/python-dev/2015-October/141838.html But if the majority prefers PyPI that way, I'll stop arguing. Stefan Krah
On May 3, 2016, at 1:42 PM, Stefan Krah <stefan@bytereef.org> wrote:
I don't fully understand your explanation. Judging by the link that Donald posted (thanks!) it seems that PEP 470 introduced extra work for him that would not have been present had things been left in place.
IIRC the PyPI maintainers were constantly nagged about “PyPI reliability issues” that were instead external hosting issues. Everybody was affected every now and then whenever tummy.com or other external servers for popular packages were down. Or at least I know *I was*. Way too often.
But if the majority prefers PyPI that way, I'll stop arguing.
I’m not sure what you mean here but if you want to argue for reverting PEP 470, I wouldn’t hold my breath. -- Ł
Łukasz Langa <lukasz <at> langa.pl> writes:
I don't fully understand your explanation. Judging by the link that Donald posted (thanks!) it seems that PEP 470 introduced extra work for him that would not have been present had things been left in place.
IIRC the PyPI maintainers were constantly nagged about “PyPI reliability issues” that were instead external hosting issues. Everybody was affected every now and then whenever tummy.com or other external servers for popular packages were down. Or at least I know *I was*. Way too often.
But making them completely unreachable does not increase reliability. :)
But if the majority prefers PyPI that way, I'll stop arguing.
I’m not sure what you mean here but if you want to argue for reverting PEP 470, I wouldn’t hold my breath.
No, I mean what we're doing now. Stefan Krah
On May 3, 2016, at 2:38 PM, Stefan Krah <stefan@bytereef.org> wrote:
But making them completely unreachable does not increase reliability. :)
But it does increase security. The other motivation, besides reliability, listed in this section <https://www.python.org/dev/peps/pep-0470/#my-users-have-a-worse-experience-with-this-pep-than-before-how-do-i-explain-that>, is that: "transparently including external links [is] a security hazard (given that in most cases it allowed a MITM to execute arbitrary Python code on the end users machine)". And, indeed, the URL presently listed on PyPI for the cdecimal upload is an unverified http URL. This means that any evil barista with access to a coffee-shop wifi router could instantly execute user-privileged code on any Python programmer's laptop if they were to `pip install´ this externally hosted package, which is one of the reasons why neither `pip´ nor `pypi´ allow such a thing any more. Please believe me when I say I do not mean the following to be insulting - information security is incredibly confusing, difficult, and rapidly evolving, and I don't blame you for getting it wrong - but maintaining a popular package in this way is dangerously irresponsible. There are solid social reasons to centralize the control of the default package repository in the hands of dedicated experts who can scale their security expertise to a large audience, so that package authors like you and I don't need to do this in order to prevent Python from gaining a reputation as a vector for malware; this package is a case in point. Separately from the issue of how PyPI works, even if you have some reason you need to host it externally (which I seriously doubt), please take the trouble to set up a server with properly verified TLS, or use a '.github.io' hostname that can be verified that way. In the meanwhile, just to demonstrate that it's a trivial amount of work to just host it on PyPI, I checked out this package via a verified mechanism ("git clone https://github.com/bytereef/bytereef.github.io") and created a new pypi-cdecimal package <https://pypi.python.org/pypi/pypi-cdecimal <https://pypi.python.org/pypi/pypi-cdecimal>>, via editing the setup.py to change the name, 'python setup.py register', 'python setup.py sdist', 'pip wheel' (for some reason direct 'python setup.py bdist_wheel' didn't work), and 'twine upload'. `pip install pypi-cdecimal´ should now work and get you an importable `cdecimal´, and if you happen to be lucky enough to run the same OS version I am, you won't even need to build C code. cdecimal users may wish to retrieve it via this mechanism until there's a secure way to get the proper upstream distribution. If anyone wants package-index access to this name to upload Windows or manylinux wheels just let me know; however, as this is just a proof of concept, I do not intend to maintain it long-term. -glyph
On 5/3/2016 8:56 PM, Glyph wrote:
setup.py bdist_wheel' didn't work), and 'twine upload'. `pip install pypi-cdecimal´ should now work and get you an importable `cdecimal´, and if you happen to be lucky enough to run the same OS version I am, you won't even need to build C code. cdecimal users may wish to retrieve it via this mechanism until there's a secure way to get the proper upstream distribution.
If anyone wants package-index access to this name to upload Windows or manylinux wheels just let me know; however, as this is just a proof of concept, I do not intend to maintain it long-term.
For Windows, http://www.lfd.uci.edu/~gohlke/pythonlibs/ has 32 and 64 bit builds of cdecimal 2.3 for 2.7, 3.4, and 3.5. (Is cdecimal substantially different from the _decimal added in 3.5?) -- Terry Jan Reedy
(Is cdecimal substantially different from the _decimal added in 3.5?)
AFAICT, they are unrelated codebases that do about the same thing with the same amount of performance, with the main exception that _decimal in 3.5 does not require one to change their import (or to compile the package themselves.)
On 4 May 2016 at 13:44, <tritium-list@sdamon.com> wrote:
(Is cdecimal substantially different from the _decimal added in 3.5?)
AFAICT, they are unrelated codebases that do about the same thing with the same amount of performance, with the main exception that _decimal in 3.5 does not require one to change their import (or to compile the package themselves.)
cdecimal and the standard library's _decimal module are built around the same decimal arithmetic library (libmpdec), and Stefan is the maintainer for all of them. Similar to other standard library modules with a PyPI counterpart, end users can choose between using the standard library version (and avoiding the external dependency) and using the independently updated version (and gaining increased consistency across Python versions, including availability on 2.7). More info on that can be found in the Python 3.3 What's New doc: https://docs.python.org/3/whatsnew/3.3.html#new-decimal Regards, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
[cut overlong post]
Glyph, nice sneaky way to try to divert from the original issue. Your whole post is invalidated by the simple fact that the URL was protected by a hash (which I repeatedly asked to be upgraded to sha256). This was the official scheme promoted by PEP-438, which you should know. But of course your actual intention here is character assassination, pretending to "rescue" cdecimal and trying to divert from the fact that the transition to PEP 470 was handled suboptimally. The very reason for this thread is that the security was silently disabled WITHOUT me getting a notification. What is on PyPI *now* is not what I configured! Please believe me when I say I do not mean the following to be insulting -- people who have done *actual* cryptography to varying degrees often tend to focus on the important parts and aren't impressed by regurgitating catch phrases like SSL and man-in-the-middle: http://cr.yp.to/ecdh.html The amount of security "experts" in the Python community that pontificate on any occasion is pretty annoying. What do you think djb thinks of Twisted?
If anyone wants package-index access to this name to upload Windows or manylinux wheels just let me know; however, as this is just a proof of concept, I do not intend to maintain it long-term.
That apparently all you can do: Move bits from place A to place B and not care how long it took to produce them. You are a real hero. Stefan Krah
Are you for real? I honestly do not understand your hostility. You posted a mean-spirited complaint about a policy that is nearly exactly two years old, to the wrong list, and call out the people calmly trying to explain what happened and why, and how you can mitigate it for your own work and organization. What do you intend to accomplish? * PyPI is no longer and index, it is a repository * The decision to disable the index-only features of PyPI were made 2 years ago, including pep438 - plenty of time to make alternate arrangements. * The tooling for hosting your own repository is available, should you actually need to host the files outside of PyPI * The tooling exists to use other indexes * The tooling exists to host your own index that serves your own packages (that you develop or third party packages that you package for your own use), that defaults to PyPI for packages not in your own repository I understand that you are upset that a feature you used was removed; posting with hostility to a list of people who do not even have control over the repository is not a legitimate way to solve your problems.
-----Original Message----- From: Python-Dev [mailto:python-dev-bounces+tritium- list=sdamon.com@python.org] On Behalf Of Stefan Krah Sent: Wednesday, May 04, 2016 00:15 To: python-dev@python.org Subject: Re: [Python-Dev] Yearly PyPI breakage
[cut overlong post]
Glyph,
nice sneaky way to try to divert from the original issue. Your whole post is invalidated by the simple fact that the URL was protected by a hash (which I repeatedly asked to be upgraded to sha256).
This was the official scheme promoted by PEP-438, which you should know. But of course your actual intention here is character assassination, pretending to "rescue" cdecimal and trying to divert from the fact that the transition to PEP 470 was handled suboptimally.
The very reason for this thread is that the security was silently disabled WITHOUT me getting a notification. What is on PyPI *now* is not what I configured!
Please believe me when I say I do not mean the following to be insulting -- people who have done *actual* cryptography to varying degrees often tend to focus on the important parts and aren't impressed by regurgitating catch phrases like SSL and man-in-the-middle:
The amount of security "experts" in the Python community that pontificate on any occasion is pretty annoying. What do you think djb thinks of Twisted?
If anyone wants package-index access to this name to upload Windows or manylinux wheels just let me know; however, as this is just a proof of concept, I do not intend to maintain it long-term.
That apparently all you can do: Move bits from place A to place B and not care how long it took to produce them.
You are a real hero.
Stefan Krah
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/tritium- list%40sdamon.com
<tritium-list <at> sdamon.com> writes:
You posted a mean-spirited complaint about a policy that is nearly exactly two years old, to the wrong list, and call out the people calmly trying to explain what happened and why, and how you can mitigate it for your own work
Yeah, right. This is distutils-sig level. Read Glyph's "calm" and "nice" post again. Also note that *I* had already bowed out of the thread when Glyph unnecessarily decided to spread complete misinformation. Stefan Krah
On May 3, 2016, at 9:15 PM, Stefan Krah <stefan@bytereef.org> wrote:
[cut overlong post]
Glyph,
nice sneaky way to try to divert from the original issue.
The original issue, as I understood it, at the start of the thread was "which hoops I have to jump through this year in order to keep pip downloads working". So I showed you the hoops. Your question implied, to me, that you were not presently aware of how easy it is to simply build and upload your packages with sdist and twine. After years and years of horrible setuptools bugs, it certainly seemed plausible to me that if you had long-standing experience with python packaging, you might have perhaps developed a well-deserved low opinion of them in the past. Therefore, you might not be aware of relatively recent improvements to the packaging ecosystem which made this problem trivial to solve. My intent was, therefore, simply to demonstrate that things have improved, and that this was not a hard thing for you to do and could be resolved with a minimum of fuss. I confess that before posting I was made aware that you'd had some personality conflicts with some PyPI maintainers in the past. But that sentence was about the extent and detail level of my understanding. I was not aware to what extent, and the reason I jumped into this particular thread, when I rarely participate in python-dev, was that I hoped a simple explanation of the facts of the matter from someone you hadn't previously interacted with could address your concerns.
Your whole post is invalidated by the simple fact that the URL was protected by a hash (which I repeatedly asked to be upgraded to sha256).
Based only on previous discussion here, I had no way to know either of those things. You didn't reference it in the post I was replying to, or in your original post. And, as you say later, PyPI's download URL doesn't include the hash any more, so it wasn't there for me to observe. (There were some manual instructions in your package description but no automated tooling will honor that.) In any case, fragment hashes are not really a suitable general-purpose mechanism as they are only honored by specific tools (like pip) whereas HTTPS verification ought to be universally supported, so IMHO it is a good thing that PyPI is discouraging their use for this purpose.
This was the official scheme promoted by PEP-438, which you should know. But of course your actual intention here is character assassination, pretending to "rescue" cdecimal
In the "overlong" post that you elided, I specifically said I didn't intend to maintain it for long. If this wasn't clear, what I meant to say by that comment was that I would keep the index entry available until you had the opportunity to upload some sdists and wheels yourself to PyPI. If you don't intend to, I am not the right person to "rescue" the package; someone else who is more invested in cdecimal should provide an alternate PyPI entry, or take over this one.
and trying to divert from the fact that the transition to PEP 470 was handled suboptimally.
I don't see any need to divert attention from this fact, because you appear to be in a minority of one in considering it so.
The very reason for this thread is that the security was silently disabled WITHOUT me getting a notification. What is on PyPI *now* is not what I configured!
If that was the reason for the thread, you would have been better served by making that specific complaint rather than asking for information, and then yelling at the people who provided it to you. You might also consider reporting these issues to an appropriate forum, since python-dev is not the bugtracker for PyPI. You can find that here: <https://bitbucket.org/pypa/pypi/issues <https://bitbucket.org/pypa/pypi/issues>>. You might also want to continue this thread on distutils-sig; I'm sorry for contributing to the noise on python-dev, but I thought getting a high-profile package such as cdecimal integrated into the modern packaging ecosystem would be worth the off-topic digression.
[various spurious and irrelevant ad-hominem attacks redacted]
Perhaps naively, given the level of hostility on display here, I still hope that you might see the wisdom in simply uploading build artifacts to PyPI. But I won't try to convince you further. -glyph
On 4 May 2016 at 05:06, Stefan Krah <stefan@bytereef.org> wrote:
Hello,
Could someone enlighten me which hoops I have to jump through this year in order to keep pip downloads working?
Stefan, I know you're not happy with myself and the other distutils-sig folks regarding the decision to deprecate and remove automatic link spidering, nor with the PSF regarding the current Terms of Service around uploads to PyPI, but that doesn't make it OK to start off-topic threads on python-dev just because you're a CPython core developer in addition to being a PyPI user. It *definitely* doesn't make it OK to accuse people of conspiring against you when they answer your question in good faith, just because their answer is the official distutils-sig/PyPA one (which was approved through the PEP process in PEP 470). Depending on which aspect is most bothering you right now, potential courses of action worth pursuing include: - writing to psf-legal to let them know whether or not Van Lindberg's draft updates to the Terms of Service would be sufficient to make you comfortable with uploading cdecimal to PyPI in addition to bundling it with the standard library under your existing Contributor Licensing Agreement: https://bitbucket.org/vanl/pypi/src/default/templates/confirm.pt - writing to distutils-sig to see what opportunities exist to assist with the migration from the fragile legacy PyPI codebase to the new Warehouse implementation (which is a technical debt reduction activity currently blocking a lot of other enhancements to the PyPI ecosystem) - writing to the PSF Board asking us to increase the PSF's level of investment in PyPI infrastructure support (while we're already aware of that need, we're also the right venue to escalate these kinds of concerns for folks that don't have the time or inclination to get directly involved in improving the situation themselves) Regards, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
This is mostly just observational, and not meant primarily as criticism of the fabulous work of Donald and others (ignoring pypa, also the prompt, reliable, and skilled support responses common on such places as IRC), however I can't help but notice that PyPI governance seems to come under fire vastly more often than similar and much more popular packaging systems, and some choices that have been made particularly in recent years have caused a noticeable amount of dissent with what might be considered the typical developer. When a contributor to the core language is having repeat issues maintaining some basic element of the function of the packaging system, might it be fair to reflect on how changes to those functions are being managed? There are PEPs covering a great deal of the work done to PyPI recently, but, and I say this as someone who has bumped into friction with the packaging tooling in the relatively recent past, even I despite my motivations to the contrary, I have not read most of them. It seems the current process is observed by few, does not sufficiently address the range of traditional use cases that were possible in the past, and the first the common user learns of a change is when pip (after insisting it must be upgraded) fails to function as it previously did. The usual course then is some complaint, that leads to distutils-sig, which ultimately leads to pointing at some design work that was only observed by perhaps 50 people max that turns out had some edge cases that hurt in a common use case. Is there something to contemplate in here? I dislike posting questions instead of answers, but it seems apparent there is a problem here and it continues to remain unaddressed. David On Tue, May 03, 2016 at 07:06:12PM +0000, Stefan Krah wrote:
Hello,
Could someone enlighten me which hoops I have to jump through this year in order to keep pip downloads working?
Collecting cdecimal Could not find a version that satisfies the requirement cdecimal (from versions: ) No matching distribution found for cdecimal You are using pip version 7.1.2, however version 8.1.1 is available. You should consider upgrading via the 'pip install --upgrade pip' command.
If this continues, I'm going to release a premium version that's 50% faster and only available from bytereef.org or Anaconda.
Stefan Krah
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/dw%2Bpython-dev%40hmmz.or...
On Thu, 5 May 2016 at 16:54 David Wilson <dw+python-dev@hmmz.org> wrote:
This is mostly just observational, and not meant primarily as criticism of the fabulous work of Donald and others (ignoring pypa, also the prompt, reliable, and skilled support responses common on such places as IRC), however I can't help but notice that PyPI governance seems to come under fire vastly more often than similar and much more popular packaging systems, and some choices that have been made particularly in recent years have caused a noticeable amount of dissent with what might be considered the typical developer.
When a contributor to the core language is having repeat issues maintaining some basic element of the function of the packaging system, might it be fair to reflect on how changes to those functions are being managed?
There are PEPs covering a great deal of the work done to PyPI recently, but, and I say this as someone who has bumped into friction with the packaging tooling in the relatively recent past, even I despite my motivations to the contrary, I have not read most of them. It seems the current process is observed by few, does not sufficiently address the range of traditional use cases that were possible in the past, and the first the common user learns of a change is when pip (after insisting it must be upgraded) fails to function as it previously did.
The usual course then is some complaint, that leads to distutils-sig, which ultimately leads to pointing at some design work that was only observed by perhaps 50 people max that turns out had some edge cases that hurt in a common use case.
Is there something to contemplate in here? I dislike posting questions instead of answers, but it seems apparent there is a problem here and it continues to remain unaddressed.
This is whole thread is off-topic precisely because all of this is discussed -- in the open -- on distutils-sig and decided there. If people feel changes need to be made like broadcasting to a wider audience when a change occurs, then please bring it up on distutils-sig. But if people choose not to participate then they are implicitly delegating decision powers to those who do participate (which is totally fine and I'm not implying that if people don't participate they are doing something wrong).
On Fri, May 06, 2016 at 12:03:48AM +0000, Brett Cannon wrote:
Is there something to contemplate in here? I dislike posting questions instead of answers, but it seems apparent there is a problem here and it continues to remain unaddressed.
This is whole thread is off-topic precisely because all of this is discussed -- in the open -- on distutils-sig and decided there. If people feel changes need to be made like broadcasting to a wider audience when a change occurs, then please bring it up on distutils-sig.
I respectfully disagree, as this has been the default response applied for years, and it seems friction and dissemination have not been improved by it. Packaging is not some adjunct technicality, anyone learning Python in the past few years at least has been taught pip within the first week.
But if people choose not to participate then they are implicitly delegating decision powers to those who do participate
I believe this is also practically rhetorical in nature. I've watched the wars on distutils-sig for many years now, and the general strategy is that beyond minor outside influence, the process there is occupied by few individuals who are resistant to outside change. Outside influence is regularly met with essay-length reponses and tangential minutia until the energy of the challenge is expended. As an example, one common argument is that "Donald is overworked", however as an example, I offered a very long time ago to implement full text indexing for PyPI search. At the time I belive I was told such things weren't necessary, only to learn a few years later that Donald himself implemented the same function, and it suffers from huge latency and accuracy issues in the meantime. The solution to those problems is of course the ever-delayed rewrite. Over on distutils-sig, one will learn that a large amount of effort has been poured into a rewrite of PyPI (an effort going on years now), however the original codebase was not far from rescue (I had a local copy almost entirely ported to Flask in a few days). There is no reason why this effort nor any other (like full text search) should be used, as it often is, as an argument in the decisionmaking process that largely governs how PyPI and pip have worked in the recent years, yet it only takes a few glances at the archives to demonstrate that it regularly is. David
On May 5, 2016, at 8:35 PM, David Wilson <dw+python-dev@hmmz.org> wrote:
On Fri, May 06, 2016 at 12:03:48AM +0000, Brett Cannon wrote:
Is there something to contemplate in here? I dislike posting questions instead of answers, but it seems apparent there is a problem here and it continues to remain unaddressed.
This is whole thread is off-topic precisely because all of this is discussed -- in the open -- on distutils-sig and decided there. If people feel changes need to be made like broadcasting to a wider audience when a change occurs, then please bring it up on distutils-sig.
I respectfully disagree, as this has been the default response applied for years, and it seems friction and dissemination have not been improved by it. Packaging is not some adjunct technicality, anyone learning Python in the past few years at least has been taught pip within the first week.
But if people choose not to participate then they are implicitly delegating decision powers to those who do participate
I believe this is also practically rhetorical in nature. I've watched the wars on distutils-sig for many years now, and the general strategy is that beyond minor outside influence, the process there is occupied by few individuals who are resistant to outside change. Outside influence is regularly met with essay-length reponses and tangential minutia until the energy of the challenge is expended.
Honestly, I just don't think this is an honest characterization. It is true that in general there are few people who bother to put in the effort to take a proposal from start to finish including actually writing the code to make such a thing happen. The problem of packaging is a particularly hard one where it's difficult to make trade offs because unlike other systems, people are sort of locked into using whatever the popular system is. If asyncio doesn't suite everyone that's fine it's not hard for them to go and switch and use Twisted, Tornado, gevent, eventlet, curio, etc etc but it's not very realistic for someone to opt out of the packaging ecosystem. In addition, it's much like something like HTTP or SMTP or the such where once you add some feature, it becomes incredibly difficult to ever remove it if you end up needing to (case in point, this thread and off site hosting), so we tend to over scrutinize changes wherever we can to try and make sure we *really* understand what the tradeoffs we're making are. Just as an example, it took a year and a half for PEP 440 to be standardized which is for something as bite sized as version numbers and PEP 440 was a continuation of the stalled PEP 386. The most time consuming part of PEP 440 was trying our new rules against every single version that existed on PyPI and minimizing the breakage. Even then, we've had several recent PEPs go through (manylinux1, environment markers, requirements) from people willing to do so.
As an example, one common argument is that "Donald is overworked", however as an example, I offered a very long time ago to implement full text indexing for PyPI search. At the time I belive I was told such things weren't necessary, only to learn a few years later that Donald himself implemented the same function, and it suffers from huge latency and accuracy issues in the meantime. The solution to those problems is of course the ever-delayed rewrite.
I don't remember the specific details around your proposal, but I'm pretty sure that *I* never told you that "such things were not necessary" since I've never held that opinion to my memory. What I have found [1][2] (to try and refresh my memory) are threads from you that went largely unanswered in April of 2013, which was right at the time I was heavily focused on getting PyPI setup behind Fastly and wasn't really paying attention to much else. I don't see anything else from you about it until September of 2015 when you offered your help again and at that point I told you that we had already switched to using Elasticsearch. In those two years since your initial offer, and then your follow up in 2015 I do not see any pull request to the PyPI code base from you (which, assuming they were reasonable would have been merged), however I do see the PR [3] from Ernest (No, I didn't implement the search) which got merged and deployed. My experience is that people are often willing to *offer* help with PyPI, but then they quickly disappear once they start to actually try and hack on it's code base and realize how difficult it is to work with. That experience tends to mean that I don't really get super excited when someone shows interest in helping because it rarely actually manifests. I think we've had more people contribute to Warehouse in the last year than we've *ever* had contribute to the legacy PyPI code base, which I think says a lot about the decision to switch.
Over on distutils-sig, one will learn that a large amount of effort has been poured into a rewrite of PyPI (an effort going on years now), however the original codebase was not far from rescue (I had a local copy almost entirely ported to Flask in a few days). There is no reason why this effort nor any other (like full text search) should be used, as it often is, as an argument in the decisionmaking process that largely governs how PyPI and pip have worked in the recent years, yet it only takes a few glances at the archives to demonstrate that it regularly is.
I find the statement that "the original code base is not far from rescue" a bit interesting, since you had previously stated [2] that: Again PyPI has been growing organically for a very long time, and dumping even more features in there doesn't seem a great idea. I looked at retrofitting PyPI with Flask, but there is simply too much custom code to be sure things won't be broken by doing it in a hurry. In any case, yes we're rewriting PyPI and it's been something that I've put a lot of effort into. That also means that I'm not particularly enthused about spending a bunch of time and effort working on legacy PyPI because doing so is incredibly demotivating to me to the point that the more time I spent in that code base the more I want to quit all together. Even given that I still have and would review PRs to that code base, it's just that very few people ever suffer through that code base long enough to actually submit one. I don't believe we've ever told someone that something can't happen because of Warehouse, only that *I* won't implement something until after Warehouse. That often times means that something won't happen until after Warehouse because of the severe shortage of people with enough time and motivation to work on this stuff but if someone did step up more things would get done. [1] https://mail.python.org/pipermail/distutils-sig/2013-April/020553.html [2] https://groups.google.com/d/msg/pypa-dev/ZjUNkczsKos/SzwNOckisXUJ [3] https://bitbucket.org/pypa/pypi/pull-requests/81/implement-an-elasticsearch-... ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Thu, May 05, 2016 at 10:31:48PM -0400, Donald Stufft wrote:
I don't believe we've ever told someone that something can't happen because of Warehouse, only that *I* won't implement something until after Warehouse. That often times means that something won't happen until after Warehouse because of the severe shortage of people with enough time and motivation to work on this stuff but if someone did step up more things would get done.
Could the PSF help with this, whether by paying for Donald's (or a consultant's) time to whatever do final implementation, polishing, testing, or sysadmin work is required? --amk
On May 6, 2016, at 1:11 PM, A.M. Kuchling <amk@amk.ca> wrote:
On Thu, May 05, 2016 at 10:31:48PM -0400, Donald Stufft wrote:
I don't believe we've ever told someone that something can't happen because of Warehouse, only that *I* won't implement something until after Warehouse. That often times means that something won't happen until after Warehouse because of the severe shortage of people with enough time and motivation to work on this stuff but if someone did step up more things would get done.
Could the PSF help with this, whether by paying for Donald's (or a consultant's) time to whatever do final implementation, polishing, testing, or sysadmin work is required?
Personally, my time is already paid for by HPE to work on this stuff but I’m only one person. The PSF could pay for others to help with that though. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
This is whole thread is off-topic precisely because all of this is discussed -- in the open -- on distutils-sig and decided there. If people feel changes need to be made like broadcasting to a wider audience when a change occurs, then please bring it up on distutils-sig. But if people choose not to participate then they are implicitly delegating decision
Brett Cannon <brett <at> python.org> writes: powers to those who do participate (which is totally fine and I'm not implying that if people don't participate they are doing something wrong). Participating there, especially for a non-native speaker, is basically a full-time job. You're met with a large number of extremely lengthy posts that would require an incredible amount of time to respond to in a careful manner. And ultimately it is the persons that Guido delegated the authority to who decide everything. I think many people have concluded that the influence/time ratio is too low to be worth it. Also I don't know any other development group who is a) that quick in trying to suppress any "off-topic" discussions and b) constantly uses venues outside of the Python mailing lists to steer and manipulate public opinion. Stefan Krah
participants (11)
-
A.M. Kuchling
-
Brett Cannon
-
David Wilson
-
Donald Stufft
-
Glyph
-
Nathaniel Smith
-
Nick Coghlan
-
Stefan Krah
-
Terry Reedy
-
tritium-list@sdamon.com
-
Łukasz Langa