[Catalog-sig] an immutable mirror of PyPI

M.-A. Lemburg mal at egenix.com
Tue Jul 5 14:12:41 CEST 2011

Martijn Faassen wrote:
> Hi there,
> On 07/05/2011 12:48 AM, M.-A. Lemburg wrote:
>> Martijn Faassen wrote:
>>> Is there any interest in running an immutable mirror of PyPI on
>>> python.org as a service to package users?
>> AFAIK, gocept is running such a mirror for the own purposes.
>> You might want to partner up with them.
>> I can put you in touch with Christian Theune/GoCept if you like.
> I know Christian quite well, I can easily contact them. I hadn't
> realized they were running an immutable mirror.


>> In general, I find the idea to use a potentially volatile service
>> for running buildout or similar tools a hazardous approach to
>> software configuration management, esp. in production environments.
>> Why don't you just download the packages you have tested and
>> ship them with your application, bypassing all the network
>> and usability issues of a dynamic catalog server ?
> Yeah, that's one way to resolve this.
> It's just a lot more work to do this during development than updating a
> version number in a configuration file when you need a new version.

Hmm, the testing involved with upgrading to a new release
is usually a lot more work than importing the release
into a repository ;-)

FWIW: We've been using the repository approach for many years now
and it has never failed on us. Even doing a 1GB SVN checkout doesn't
really take long if you're doing this on a server which is
directly connected to the Internet. And after the checkout you
can be sure that the production is running the exact same version
as the one you've tested - a guarantee that tools such as buildout,
which download the packages and then build them on the target
machine, cannot provide. YMMV, though.

> Concerning relying on networked resources for the installation of tested
> packages, Linux distributions have been doing this for years; I don't
> think that's a fundamentally flawed approach.

Sure, but those are distributions of collections of packages
that are known to work together (most of the time), not catalogs
like PyPI, which don't provide any compatibility or availability

I was essentially suggesting to setup your own distribution or
distribution server to avoid the issues with missing compatibility
checks or loss of availability of a resource.

> PyPI just is at this point where it works 99.99% percent of the time,
> but it allows sudden surprises to pop up.

I think that's just a coincident, not really a feature :-)

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Jul 05 2011)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list