[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Donald Stufft donald.stufft at gmail.com
Mon Jan 30 01:44:22 CET 2012

On Sunday, January 29, 2012 at 7:38 PM, "Martin v. Löwis" wrote:

> > When we initially implemented file upload to PyPI it was our intention
> > that the file be immutable once uploaded. The goal was to make things
> > significantly simpler for end users - there would only ever be one
> > file with a given name. If the content changed then so must the name
> > (typically by creating a new release version.)
> >  
> I don't actually recall that being a goal :-)
> > Your thoughts?
> -1. There are plenty of ways to check whether the file was modified if
> you already have a copy of it. Users just need to accept that files may
> change, and package authors need to accept that users may retain old
> copies of a file even after they replaced it.

I don't always have a copy of the file, I might only have a reference  such as slumber==0.3.0.  
> I just got a user comment a week ago of a user explicitly thanking about
> the ability to replace files after already publishing them.
> Regards,
> Martin
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120129/4d0aa1a5/attachment.html>

More information about the Catalog-SIG mailing list