[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Terry Reedy tjreedy at udel.edu
Mon Jan 30 22:44:06 CET 2012

On 1/30/2012 3:04 AM, "Martin v. Löwis" wrote:
>>> -1. There are plenty of ways to check whether the file was modified if
>>> you already have a copy of it. Users just need to accept that files may
>>> change, and package authors need to accept that users may retain old
>>> copies of a file even after they replaced it.
>> I don't always have a copy of the file, I might only have a reference
>>   such as slumber==0.3.0.
> The better. A responsible author, when replacing an existing file,
> should make sure that it is reasonably compatible with the previous
> copy of the file. E.g. the update may include corrected typos or include
> files that the previous copy didn't include; the previous copy may have
> actually not worked at all in some circumstances.
> Now, it may be that the author does break your code by mistake when
> replacing a file. You should then report that to the author, asking
> him to restore the original file and be more careful in the future.

In book publishing, typographical errors may be corrected in subsequent 
printing without notice. We do the same thing nightly with the docs.

Terry Jan Reedy

More information about the Catalog-SIG mailing list