[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI

Alex Clark aclark at aclark.net
Thu Jun 17 07:11:41 CEST 2010


Hi,


Andreas Jung wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi there,
>
> I propose a policy change for packages registered with PyPI:
>
>   - packages registered on PyPI have at least one release
>
>   - one release of registered package on PyPI _must_ contain
>     a valid source code distribution (sdist)
>
>   - packages registered on PyPI without releases or without
>     source code release are subject to be removed after N days
>     after the day of registration
>
> Why?
>
> Any package registered on PyPI is possibly crucial to any kind of
> development and deployment.
>
> Packages hosted on external servers (referenced through a download_url)
> are subject to come and go - packages once released should be available
> at any time from a well-known location (PyPI). Dependencies on the
> availability of external downloads servers other than PyPI are hardly
> acceptable for real-world development and deployments.
>
> As an example: the Plone CMS buildouts depend on python-openid.
> This package is registered with PyPI
>
> http://pypi.python.org/pypi/python-openid
>
> but references to
>
> http://openidenabled.com/files/python-openid/packages/python-openid-2.2.4.tar.gz
>
> For whatever reason the download URL is no longer working. In fact:
> openidenabled.com now points to http://www.janrain.com.

FWIW, I have uploaded a local copy of that file to:

http://dist.plone.org/thirdparty/python-openid-2.2.4.tar.gz


>
> Other reasons for disappearing package in the past:
>
>   - network or server outages of external servers
>   - users changed their organization and the organization removed
>     content of their former employees
>
> PyPI is a valuable and crucial resource for Python development.
> It must be kept up-to-date and consistent.
>
> I don't care about the arguments that were made in the past against
> stronger rules ("openness" etc.).
>
> There are a lot of Python programmers around that are not Python geeks
> as most of us are and they just become pissed of when packages come and
> go or are not in the place where one would expect them.
>
> PyPI is a community resource - but community does not mean anarchy where
> everyone should be able to upload its package crap without looking left
> and right and having the community and its needs in mind.
>
> PyPI must become a stable package index. Everything registered with PyPI
> must be available at any time (mirrors, distributing PyPI in the cloud...).
>
> Andreas
>
> - --
> ZOPYX Limited           | zopyx group
> Charlottenstr. 37/1     | The full-service network for Zope&  Plone
> D-72070 Tübingen        | Produce&  Publish
> www.zopyx.com           | www.produce-and-publish.com
> - ------------------------------------------------------------------------
> E-Publishing, Python, Zope&  Plone development, Consulting
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkwZowgACgkQCJIWIbr9KYyclQCglMaIFnObClOn3sPfwBWbnV1w
> YboAoL8OSErCHFi0nXD4tbF8VnYgbc/i
> =3m/N
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig


-- 
Alex Clark · http://aclark.net
Author — Plone 3.3 Site Administration · http://aclark.net/admin



More information about the Catalog-SIG mailing list