On Mon, 24 Jul 2023 at 23:28, Jonathan Crall <erotemic@gmail.com> wrote:
If popular packages weren't favored that would be a problem. Popularity should be correlated with "trustworthiness" or whatever the metric this curated repo seeks to maximize. I think the important thing is that the packages are both popular and have passed some sort of vetting procedure.
Okay, but can you tell me what this vetting procedure proves that isn't already proven by mere popularity itself?
For instance, for a very long time Python2 was far more popular than Python3, but any expert in the field would encourage users to move to Python3 sooner rather than later. Python2 is popular, but it wouldn't have made the cut on some expert-curated list.
Experts were divided for a very long time. I'm not sure what your point is here. And are you also saying that packages should be *removed* from this curated list? Because if so, what's the mechanic for this? (Python 2 absolutely WOULD have made the cut on any expert-curated list prior to Python 3's inception.)
So it helps in that it reranks popular packages (and also excludes some) for those who want to adopt a more strict security / reliability posture.
By no means do I think this would replace pypi as the de-facto packaging repository. Its low barrier to entry is extremely important for a thriving community, but I also wouldn't mind having something a bit more robust.
I also think this project would have to careful not to become yet another "awsome-python-package" collection. Those certainly have value, but based on the initial proposal, I'm interested in something a tad more robust.
More robust in what way? What exactly are the requirements to be part of this list? Will all experts agree? If not, how is it different from "yet another collection"? (Also, PLEASE don't top-post. There's no value in it. Show what you're responding to.) ChrisA