[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI
steve at pearwood.info
Thu Jun 17 17:11:01 CEST 2010
On Thu, 17 Jun 2010 04:11:19 pm Christian Zagrodnick wrote:
> On 2010-06-17 06:22:32 +0200, Andreas Jung <lists at zopyx.com> said:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > Hi there,
> > I propose a policy change for packages registered with PyPI:
> > - packages registered on PyPI have at least one release
> > - one release of registered package on PyPI _must_ contain
> > a valid source code distribution (sdist)
Please take your religious wars elsewhere. Python might be open source
software, but there is no requirement that only open source software
can be written in Python, and PyPI is for all Python developers, not
just FOSS developers.
> > - packages registered on PyPI without releases or without
> > source code release are subject to be removed after N days
> > after the day of registration
> > Why?
> > Any package registered on PyPI is possibly crucial to any kind of
> > development and deployment.
Just because it's crucial to you doesn't mean you own it and can dictate
what the package owner does with it.
The important question here is, who controls the package? Is it the
package owner, or PyPI? Your proposal is to give control over the
package to PyPI rather than the owner and strip the developer of
control in return for indexing the package on PyPI. Not only is that in
my opinion rude and unethical, but I expect it will lead to a lot of
authors abandoning PyPI. Instead of being the one obvious place to
index Python packages, this proposal will fragment the package space.
Not where the packages are hosted, but where they are indexed.
> > Packages hosted on external servers (referenced through a
> > download_url) are subject to come and go - packages once released
> > should be available at any time from a well-known location (PyPI).
And packages that are crucial to development should be bug-free, so
perhaps we should ban packages that contain bugs too?
> > Dependencies on the availability of external downloads servers
> > other than PyPI are hardly acceptable for real-world development
> > and deployments.
> I second that. External download URLs are really a pain.
Then don't use them. Problem solved.
> I don't think that removing packages that way would really solve the
> problem. I think the core is:
> * Require the package to have a source dist *on* PyPI
> * Forbid removing any source package.
You would FORBID the package author from removing his or her own
There are all sorts of reasons, some good, some bad, why an author might
decide to remove his package from public distribution. What gives you
the right to decide that he should be prohibited from doing so?
More information about the Catalog-SIG