[Catalog-sig] Flag to tell pip to only install uploaded files

Aaron Meurer asmeurer at gmail.com
Thu Jul 5 09:50:44 CEST 2012

On Jul 5, 2012, at 1:09 AM, Donald Stufft <donald.stufft at gmail.com> wrote:

On Thursday, July 5, 2012 at 2:44 AM, Stefan Krah wrote:

And many people have been pleasantly surprised by external packages.

 I can't imagine a situation where i'd want an external package over one
hosted on PyPI. Out of curiosity what benefits are those people
seeing from them? The only thing I can think of is for projects
where PyPI doesn't allow them to upload because their distributions
are too large (PySide I think?).

I think the other potential reason Carl mentioned was legal reasons.  I
have no idea what those might be, though.

Personally, if I had to guess, most packages that aren't uploaded to PyPI
are simply due to laziness of the maintainer, coupled with the fact that
because of the searching algorithms in pip/easy_install, they really don't
have to.  IMHO, if maintainers want their packages to be pip installable,
then it's quite reasonable to expect them to keep PyPI up to date.

And note that part of my suggestion is to allow direct download links, so
if uploading is a problem for whatever reason, it should not hinder access.

Otherwise all the other properties
of external packages lead themselves to surprising behavior, higher
likelihood that any particular set of requirements will not be available,
and increase the surface for someone to compromise and exploit people
installing via pip/easy_install via PyPI.

Thanks, I think this summarizes the situation nicely.

By the way, I'm curious just how many packages a change in policy would
affect.  How many packages don't have uploads?  How many packages is pip
installing a version newer than the most recent one listed on PyPI?  My
guess is that the numbers would be quite high.

Aaron Meurer

Catalog-SIG mailing list
Catalog-SIG at python.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120705/01ac286a/attachment-0001.html>

More information about the Catalog-SIG mailing list