[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI
Tres Seaver
tseaver at palladion.com
Thu Jun 17 16:59:37 CEST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Ramm wrote:
> This would also impact projects like turbogears (perhaps we're the
> only one, I don't know) that point to our own pypi compatable index
> with the download URL.
Your *index* is the download URL, or the tarball in the index?
> We do this because then we can fix things
> like packages with no windows eggs, packages that are broken on PyPi
> or whatever. And to help control which versions of which packages
> get installed by settuptools/distribute when you easy_install tg.
>
> I'm fine with putting sdists up on pypi, but still want people to be
> downloading files from our controlled index by default where possible.
Exactly. Anybody who says "repeatable deployment" and "install from
PyPI" in the same breath is fooling themselves already.
- - People rename projects on PyPI.
- - People remove distributions from PyPI.
- - People *replace* distributions on PyPI.
All of which make it impossible to reliably and repeatably deploy
arbitrary software configurations (directly) from PyPI. Managing your
own project-specific index is the only real solution.
Gonna-shoot-the-next-programmer-who-tells-me-don't-make-me-think'ly
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkwaOFQACgkQ+gerLs4ltQ7m4gCeMm5iCTBsZnLIFAY92ivjSs+f
uXcAn0NCff1qBu2HscoJzmfB/kQ7v7sA
=d2HM
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list