[Catalog-sig] an immutable mirror of PyPI

M.-A. Lemburg mal at egenix.com
Wed Jul 6 11:10:01 CEST 2011

Martijn Faassen wrote:
> Hi there,
> On Tue, Jul 5, 2011 at 8:42 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> [snip]
>> I can understand the problem. I'm just telling you that the solution
>> you propose is an unacceptable interference with the freedom of the
>> package authors (and this comes from somebody who thinks that a rating
>> system is *not* an unacceptable interference with that freedom).
> Sure. Unacceptable interference with the freedom of package authors to
> remove stuff. Unacceptable because developers need
> the freedom to remove old versions of their software from the internet. :)
> So if someone comes up with a immutable mirror, do you think that's
> unacceptable interference with the freedom of package authors as well?
> Just checking.

There are situations where you have to be able to remove a
package file or even a complete package and by introducing
public immutable servers you make it harder for package
authors or PyPI maintainers to resolve such issues.

Some possible reasons:

 * legal action (copyright, trademark, DMCA, license issues, etc)

 * removal of malicious packages (e.g. script kiddy stuff in

 * reassigning package names (not sure whether that's possible with
   PyPI, but it certainly happens in the wild every now and then)

 * renaming packages (e.g. due to a poor initial package name

 * seriously broken builds (e.g. that cause users to lose data)

Private immutable index servers should not be a problem, since
the package author or the PSF (as legal entity behind PyPI)
has no direct way of fixing those.

Please note that PyPI is getting bigger every day, so even if
we are not seeing many such cases now, the problems can arise and
if they do, they are going to cause a lot of trouble.

Even as owner of a private immutable mirror, you would still
want to know about such issues and I'm not sure whether you're
really up to dealing with those cases as mirror maintainer.

I'm repeating myself, but I still think you're better off creating
a special mirror for your projects which then only has the packages
and versions you want and need in your projects.

Setting up such a mirror is really easy. All it takes is some web
server, a directory with the package files and a script to create
a static PyPI-style simple index file.... but you know all that,
after all, Zope and Plone have been running such PyPI-style
repositories for years :-)

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Jul 06 2011)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list