[Catalog-sig] Proposal: close the PyPI file-replacement loophole

M.-A. Lemburg mal at egenix.com
Mon Jan 30 20:56:52 CET 2012

Tarek Ziadé wrote:
> ok, I did not remember that :)
> Nevertheless, you still have the case where someone gets the "old version"
> of Foo 1.2, in his environment, and won't get the new version of Foo 1.2,
> so it won't work for her and she will not understand why
> I think it's a very bad idea to let a window where two different versions
> of the same ...version are in the wild, even if it's a very small window of
> time.
> This happened to me in the past : I pushed a version, screwed up, delete it
> to push the same version within minutes, and made some people mad because
> they were stocked with the old non-working version :)
> while this is the developer responsibility not to screw things like this,
> we should make it not possible by design. The caveat of doing a new release
> is minimal if people do the proper automation work of their release process.

Sure, I'm not saying that fixes should be done by using the delete/reupload
dance. It's always better if you do a dot-release to address the problem.

However, there are cases, where you simply don't want a brown bag
release to persist and also don't want to issue a new release just
to address a problem with e.g. a broken .so or .pyd file in one of the
distribution files, rendering it completely broken.

Please consider that people are doing releases which require far more
than just running "setup.py register upload": releases that require
sending out announcements, registering the package at various
sites, writing press releases, updating your web site, etc. etc.

For those types of packages, doing a quick dot-release is not
necessarily an option and replacing a broken distribution file
is much less troublesome for both authors and users.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Jan 30 2012)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list