[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI

Laurence Rowe l at lrowe.co.uk
Thu Jun 17 18:37:22 CEST 2010

Andreas Jung-5 wrote:
> Hi there,
> I propose a policy change for packages registered with PyPI:
>  - packages registered on PyPI have at least one release
>  - one release of registered package on PyPI _must_ contain
>    a valid source code distribution (sdist)
>  - packages registered on PyPI without releases or without
>    source code release are subject to be removed after N days
>    after the day of registration
> Why?
> Any package registered on PyPI is possibly crucial to any kind of
> development and deployment.
> Packages hosted on external servers (referenced through a download_url)
> are subject to come and go - packages once released should be available
> at any time from a well-known location (PyPI). Dependencies on the
> availability of external downloads servers other than PyPI are hardly
> acceptable for real-world development and deployments.
> As an example: the Plone CMS buildouts depend on python-openid.
> This package is registered with PyPI
> http://pypi.python.org/pypi/python-openid
> but references to
> http://openidenabled.com/files/python-openid/packages/python-openid-2.2.4.tar.gz
> For whatever reason the download URL is no longer working. In fact:
> openidenabled.com now points to http://www.janrain.com.
> Other reasons for disappearing package in the past:
>  - network or server outages of external servers
>  - users changed their organization and the organization removed
>    content of their former employees
> PyPI is a valuable and crucial resource for Python development.
> It must be kept up-to-date and consistent.
> I don't care about the arguments that were made in the past against
> stronger rules ("openness" etc.).
> There are a lot of Python programmers around that are not Python geeks
> as most of us are and they just become pissed of when packages come and
> go or are not in the place where one would expect them.
> PyPI is a community resource - but community does not mean anarchy where
> everyone should be able to upload its package crap without looking left
> and right and having the community and its needs in mind.
> PyPI must become a stable package index. Everything registered with PyPI
> must be available at any time (mirrors, distributing PyPI in the
> cloud...).

While I agree it would be great if we could enforce source packages being
uploaded to pypi (at least for open source packages), agreement on this is
looking unlikely.

What us buildout users really want is for the simple index to contain a copy
of the uploaded files (or at least the source packages). Instead of creating
links to other referenced urls in the simple index, setuptools / distribute
could be used to fetch the package and store  a copy. A flag could be set on
indexed proprietary packages to exclude them from the simple index.

There would seem to be a great benefit to doing this centrally and mirroring
out the result rather than multiple companies maintaining their own
individual pypi mirrors.

View this message in context: http://old.nabble.com/-Proposal--Registered-packages-must-provide-the-source-code-distribution-on-PyPI-tp28910327p28916768.html
Sent from the Python - catalog-sig mailing list archive at Nabble.com.

More information about the Catalog-SIG mailing list