[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI

Patrick Gerken do3ccqrv at googlemail.com
Thu Jun 17 14:54:35 CEST 2010

On Thu, Jun 17, 2010 at 13:40, M.-A. Lemburg <mal at egenix.com> wrote:

Patrick Gerken wrote:

> > As a plone user who uses zc.buildout I very much prefer reliable
> downloads.
> > Its not fun
> > to search for the reason a supposedly repeatable buildout suddenly fails
> > because
> > a company decided to rename itself.
> It is well possible to delete package listings on PyPI. Wouldn't
> you rather be informed about this by way of an error report in
> zc.buildout than by finding that the package name has changed
> a few years later ?

I would prefer to have my buildout to be working. I do not always need the
versions, and we have cases where customers are working with a specific
version of plone where some additional packages made backward incompatible
changes that prohibit us from using them for these clients.
So yes, I prefer working on a potentially outdated version.
During development we check regulary for new versions. We have tools for

> How about only listing packages with provided source code on the simple
> interface?
> afaik buildout always uses that, so a package python-openid is visible in
> the
> end-user view, but not installable via buildout. That way nobody would
> have had
> created a dependency on it in the first place.

 If such external links are a problem for zc.buildout, why don't
> you add an option to zc.buildout that prevents using such
> packages ?

Because I consider pypi the root cause of the problem. Not the tools.
pip also allows repeatable package sets be defining specific version
requirements. Should this then be patched too?

This is well possible by checking the /simple index entry
> for links to package download files:
> http://pypi.python.org/simple/python-openid/
> vs.
> http://pypi.python.org/simple/zc.buildout/
> BTW: what are all those bug links doing on the zc.buildout index page ?
> They look a lot like a good possibility for injecting trojans.

I don't know.

What about the suggestion to show all packages on pypi but not all on the
simple view?
I can imagine that having your packages advertised on pypi generates
reasonable revenue
and I am absolutely not against that.
But I am against a pypi index that can not promise to keep its advertised
packages available.
the simple index view is meant for machines, and I'd perfectly happy if
suggested by Andreas would only be applied to that simple index.

Best regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20100617/37b0f6f7/attachment.html>

More information about the Catalog-SIG mailing list