[Catalog-sig] PyPI's external packages

Richard Jones richard at python.org
Sat May 14 07:48:47 CEST 2011

On 13 May 2011 21:49,  <exarkun at twistedmatrix.com> wrote:
> On 06:35 am, richard at python.org wrote:
> There was one that I couldn't upload.  I never figured out why, I just gave
> up on trying to distribute that file.  Learning about file format type byte
> headers is also too high a barrier.

You shouldn't need to if it was produced by distutils. A file rejected
in this way is a bug in PyPI.

>> I do not believe we should allow uploading of arbitrary content as
>> packages to PyPI.
> I'm not suggesting this.

OK, I misunderstood.

>> [snip]
>>> Plus, if I really want to dump garbage onto
>>> PyPI, then I can still use the web interface.  Making uploading
>>> inconvenient
>>> isn't a strategy for keeping trouble away.
>> The web form for uploading packages is subject to the same file
>> legitimacy tests as the distutils upload command. They both use the
>> same HTTP call on PyPI.
> I don't think you understood what I was saying.  The fact that the server
> imposes these checks is exactly why letting a user specify any file to
> "setup.py upload" is fine.  The server can always reject it if it wants to.

Yep, I understand your point now.


More information about the Catalog-SIG mailing list