[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI

Ronald Oussoren ronaldoussoren at mac.com
Thu Jun 17 23:40:13 CEST 2010



On Jun 17, 2010, at 18:53, Andreas Jung <lists at zopyx.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Ronald Oussoren wrote:
>> 
>> On 17 Jun, 2010, at 13:20, Patrick Gerken wrote:
>>> 
>>> 
>>>    Please have a look at the package in question. The only problem
>>>    with it is that the download URL registered on PyPI no longer works.
>>>    It redirects to the download page where you can find the source
>>>    distribution.
>>> 
>>> 
>>> And thats exactly what Andreas' argument is targeting.
>>> 
>> 
>> Note that even a requirement to upload a package to PyPI won't reliably
>> solve Andreas' problem, the package owner could remove a release or even
>> the entire package.  
> 
> Released is released. There are only very few cases where one should be
> allowed to remove packages (e.g. containing viruses, malware etc.).
> Otherwise released stuff must not be touched.

I agree that it would in mist cases be better to keep releases around, but a developer might not have the option to do so for legal reasons.

And as someone else noted uploading to pypi might not be possible either for legal reasons, such as for cryptographic software.

Ronald
> 
> - -aj
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkwaUxUACgkQCJIWIbr9KYxmnACaAwDSSRLdU4wViW+Bql6sKMmt
> XXkAoLSsgw7A5BIizfZcEqM9WxqnT2+C
> =j+F8
> -----END PGP SIGNATURE-----
> <lists.vcf>


More information about the Catalog-SIG mailing list