[Catalog-sig] Stable-releases-only PyPi
tseaver at palladion.com
Tue Jul 12 16:55:31 CEST 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 07/12/2011 10:26 AM, Éric Araujo wrote:
>> Hmm? In what sense would 2.6.33 ever be used for a "devel"
> By the linux kernel project, for example:
would have been 2.3.36 vs. 2.2 29: the even / odd variation for
development / stable was based on the minor release number, not the
third. Also note that the kernel devs dropped that pattern quite a
while back as being unfruitful.
>> If my application got broken by a project that made such a release,
>> I would be busy ripping out a dependency produced by such an
>> unreliable project, not arguing whether PyPI could / should
>> implement some "technical measure" to make everything happy.
> Granted, this linux kernel versioning example was extreme. However,
> compatibility issues between X.Y.Z and X.Y.Z+1 is not unheard of,
> and that’s a problem that PEP 386 does not address. (Even if it
> did, nothing would prevent human error or malice, we’d still need
> human checks, but at least we’d have a common base for
We *do* have a common base for expectations: the set of projects on
PyPI which violate those expectations (about the semantics of the
version number) is pretty small. Backward-[in]compatibility policy is
just not a documented part of those expectations: you have to learn
each project's policy about BBB issues as part of evaluating whether to
use its releases.
>> If your point is that a "stable-only" mirror could still induce
>> breakage on projects which use it blindly, I certainly concur.
> My point is that “stability” is not defined, at least not by PEP
> 386. And even when the Trove classifiers are set, blindly trusting
> them would not be a good idea.
Sure: blindly trusting any project / author is not a good idea for
people who need highly-reliable / reproducible build-deployment solutions.
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Catalog-SIG