[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI

Thu Jun 17 13:20:55 CEST 2010

On Thu, Jun 17, 2010 at 12:47, M.-A. Lemburg <mal at egenix.com> wrote:

> Kai Diefenbach wrote:
> > Hi,
> >
> > On 2010-06-17 11:51:13 +0200, M.-A. Lemburg said:
> >
> >> Back to your proposal: In your particular case, I don't see
> >> how the proposal would have helped you - under the proposal,
> >> the package would have been removed from the PyPI index,
> >> so either way, there would have been no working automatic
> >> access to the package download links.
> >
> > Why?
> >
> > Crap without source code distribution will never be published so no one
> > can ever build a dependency on that.
> >
> > AJ: "packages once released should be available at any time from a
> > well-known location (PyPI)"
> >
> > Problem solved.
>
> Please have a look at the package in question. The only problem
> with it is that the download URL registered on PyPI no longer works.
> It redirects to the download page where you can find the source
> distribution.
>

And thats exactly what Andreas' argument is targeting.

> Not much or a problem for a user searching for the archives.
>
> Only a problem for setuptools and zc.buildout that don't ship
> with enough AI to figure out :-)
>

> To get back to your argument:
>
> Crap *with* source code distribution would still get published,
> so people would still build dependencies on it.
>
> How does this solve the problem ?
>

Not putting the source release on pypi is just one indicator of crappy
software.
I agree that this is not a crap indicator for commercial software.

There is a big number of users using tools that download tools in an
automated
fashion from pypi, and it is a reasonable request that source once being
published
to be available forever.

If I understand it correctly, you are against this proposal, that would have
protected users of setuptools/distribute/zc.buildouts from problems due to
python-openid, because it would disallow the publication of information
about commercial packages on pypi?

I see a point in that, but what is more important, having a catalog to
browse or
having a reliable repository of software to download?

As a plone user who uses zc.buildout I very much prefer reliable downloads.
Its not fun
to search for the reason a supposedly repeatable buildout suddenly fails
because
a company decided to rename itself.

How about only listing packages with provided source code on the simple
interface?
afaik buildout always uses that, so a package python-openid is visible in
the
end-user view, but not installable via buildout. That way nobody would ever
have had
created a dependency on it in the first place.

Best regards,

        Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20100617/69338fa3/attachment.html>