[Catalog-sig] Use user-specific site-packages by default?
Terry Reedy
tjreedy at udel.edu
Tue Feb 5 22:02:17 CET 2013
On 2/5/2013 8:02 AM, Jesse Noller wrote:
>
>
> On Feb 5, 2013, at 7:51 AM, Donald Stufft <donald.stufft at gmail.com
> <mailto:donald.stufft at gmail.com>> wrote:
>
>> On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
>>> 1. Packages should only be installed from the given package indexes.
>>> No scraping of websites as at least easy_install/buildout does, no
>>> downloading from external download links. A deprecation period for
>>> this of a couple of months, to give package authors the chance to
>>> upload their packages is probably necessary.
>> PyPI will need to change for this to happen realistically if I recall.
>> There is a
>> hard limit on how large of a distribution can be uploaded to PyPI and
>> there
>> are, if I recall, valid distributions which are larger than that.
>>
>> Personally I want the installers to only install from PyPI so my
>> suggestion
>> if this is something that (the proverbial) we want to do, PyPI should gain
>> some notion of a soft limit for distribution upload (to prevent against
>> DoS) with the ability to increase that size limit for specific
>> projects who
>> can file a ticket w/ PyPI to have their limit increased.
>
> I strongly concur; however this does mean I will need to work with the
> board to procure additional storage or we will need to take the monthly
> storage hit and push it to s3 or another CSP.
It seems to me that only downloading from PyPI is as extreme as
downloading from anywhere and everywhere. Why is downloading form
code.google.com, for instance, worse than from pypi.python.org? I
suspect their uptime and security is *better* than that of ours. Dittle
for SourceForge. Why should PSF, with limited resources, pay for what
Google, for instance, with its massive resources, gives out for free? I
would rather the money went, for instance, to pay someone to review and
push patches that no one will look at for free. Or pay someone to work
on some of the hard security issues that are not being solved as fast as
they should be otherwise.
--
Terry Jan Reedy
More information about the Catalog-SIG
mailing list