[Catalog-sig] an immutable mirror of PyPI

Ben Finney ben+python at benfinney.id.au
Sat Jul 16 01:08:31 CEST 2011 

Martijn Faassen <faassen at startifact.com> writes:

> I don't work in a vacuum. I share code with others. This code has
> dependencies on other code. So how do people obtain this other code?

By depending on other code, you have a choice to make: you either take
the maintenance burden on yourself, or you delegate the maintenance
burden (usually to the developers of that code).

By delegating the maintenance burden of that code elsewhere, that
entails delegating the responsibility for future availability of that
code.

> PyPI I thought was among other things central place where people can
> download and install packages from so that they can resolve
> dependencies, but you seem to be arguing against doing that.

I find it strange that I'm defending PyPI in this instance, since I am
quite sympathetic to complaints that it has poor policies on package
availability and many other complaints.

But you seem to expect that PyPI must guarantee that any package version
ever available will be available forever. That's not reasonable, I
think.

Instead, you need to choose packages considering whether you trust the
package to remain available, which is a social issue between you and the
people developing that work.

If you think there is a significant risk the people responsible for that
package will remove a version on which you depend from PyPI, you should
engage in dialogue with those people to resolve that.

I don't think PyPI has any business requiring package developers to keep
a version available at PyPI beyond when they want it available there.
The risks inherent in that need to be addressed as a social issue, not a
technical limitation.

> At most it's some kind of showcase for packages that peoples should
> take into their consideration. Taking this point to the extreme, it's
> *never* something that you can automate downloading from.

There are points that can be made toward that view; but I don't find
this specific case (wanting guaranteed availability of every version
forever at PyPI) supports it.

> Instead you should be giving a giant tarball of packages to everybody,
> always, if they use your code at all.

This is indeed a terrible option, and I lament it whenever I see it.

I prefer supporting the efforts of those who *do* provide reasonable
guarantees of package selection and availability and integration
testing. We call them “operating system distributions”.

-- 
 \          “In general my children refuse to eat anything that hasn't |
  `\                              danced on television.” —Erma Bombeck |
_o__)                                                                  |
Ben Finney

More information about the Catalog-SIG mailing list