[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI

M.-A. Lemburg mal at egenix.com
Thu Jun 17 13:40:02 CEST 2010 

Patrick Gerken wrote:
> On Thu, Jun 17, 2010 at 12:47, M.-A. Lemburg <mal at egenix.com> wrote:
> 
>> Kai Diefenbach wrote:
>>> Hi,
>>>
>>> On 2010-06-17 11:51:13 +0200, M.-A. Lemburg said:
>>>
>>>> Back to your proposal: In your particular case, I don't see
>>>> how the proposal would have helped you - under the proposal,
>>>> the package would have been removed from the PyPI index,
>>>> so either way, there would have been no working automatic
>>>> access to the package download links.
>>>
>>> Why?
>>>
>>> Crap without source code distribution will never be published so no one
>>> can ever build a dependency on that.
>>>
>>> AJ: "packages once released should be available at any time from a
>>> well-known location (PyPI)"
>>>
>>> Problem solved.
>>
>> Please have a look at the package in question. The only problem
>> with it is that the download URL registered on PyPI no longer works.
>> It redirects to the download page where you can find the source
>> distribution.
>>
> 
> And thats exactly what Andreas' argument is targeting.
> 
> 
>> Not much or a problem for a user searching for the archives.
>>
>> Only a problem for setuptools and zc.buildout that don't ship
>> with enough AI to figure out :-)
>>
> 
>> To get back to your argument:
>>
>> Crap *with* source code distribution would still get published,
>> so people would still build dependencies on it.
>>
>> How does this solve the problem ?
>>
> 
> Not putting the source release on pypi is just one indicator of crappy
> software.
> I agree that this is not a crap indicator for commercial software.
> 
> There is a big number of users using tools that download tools in an
> automated
> fashion from pypi, and it is a reasonable request that source once being
> published
> to be available forever.
> 
> If I understand it correctly, you are against this proposal, that would have
> protected users of setuptools/distribute/zc.buildouts from problems due to
> python-openid, because it would disallow the publication of information
> about commercial packages on pypi?

What I'm saying is that it's better to contact the package
authors whose entries cause problems than to force some
policy on all PyPI package entries which carelessly puts
packages that are not hosted on PyPI into the same category
as crappy software.

> I see a point in that, but what is more important, having a catalog to
> browse or
> having a reliable repository of software to download?
> 
> As a plone user who uses zc.buildout I very much prefer reliable downloads.
> Its not fun
> to search for the reason a supposedly repeatable buildout suddenly fails
> because
> a company decided to rename itself.

It is well possible to delete package listings on PyPI. Wouldn't
you rather be informed about this by way of an error report in
zc.buildout than by finding that the package name has changed
a few years later ?

> How about only listing packages with provided source code on the simple
> interface?
> afaik buildout always uses that, so a package python-openid is visible in
> the
> end-user view, but not installable via buildout. That way nobody would ever
> have had
> created a dependency on it in the first place.

If such external links are a problem for zc.buildout, why don't
you add an option to zc.buildout that prevents using such
packages ?

This is well possible by checking the /simple index entry
for links to package download files:

http://pypi.python.org/simple/python-openid/

vs.

http://pypi.python.org/simple/zc.buildout/

BTW: what are all those bug links doing on the zc.buildout index page ?
They look a lot like a good possibility for injecting trojans.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jun 17 2010)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2010-07-19: EuroPython 2010, Birmingham, UK                31 days to go

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list