[Catalog-sig] Proposal: close the PyPI file-replacement loophole
donald.stufft at gmail.com
Mon Jan 30 01:44:22 CET 2012
On Sunday, January 29, 2012 at 7:38 PM, "Martin v. Löwis" wrote:
> > When we initially implemented file upload to PyPI it was our intention
> > that the file be immutable once uploaded. The goal was to make things
> > significantly simpler for end users - there would only ever be one
> > file with a given name. If the content changed then so must the name
> > (typically by creating a new release version.)
> I don't actually recall that being a goal :-)
> > Your thoughts?
> -1. There are plenty of ways to check whether the file was modified if
> you already have a copy of it. Users just need to accept that files may
> change, and package authors need to accept that users may retain old
> copies of a file even after they replaced it.
I don't always have a copy of the file, I might only have a reference such as slumber==0.3.0.
> I just got a user comment a week ago of a user explicitly thanking about
> the ability to replace files after already publishing them.
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Catalog-SIG