[Catalog-sig] Deprecate External Links

Aaron Meurer asmeurer at gmail.com
Wed Feb 27 21:08:53 CET 2013 

On Feb 27, 2013, at 1:01 PM, Donald Stufft <donald.stufft at gmail.com> wrote:

On Wednesday, February 27, 2013 at 2:56 PM, Aaron Meurer wrote:

On Wed, Feb 27, 2013 at 12:49 PM, Monty Taylor <mordred at inaugust.com> wrote:



On 02/27/2013 02:47 PM, Aaron Meurer wrote:

On Wed, Feb 27, 2013 at 11:37 AM, holger krekel <holger at merlinux.eu> wrote:

On Wed, Feb 27, 2013 at 19:34 +0100, Lennart Regebro wrote:

On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg <mal at egenix.com> wrote:

I'm not saying that it's not a good idea to host packages on PyPI,
but forcing the community into doing this is not a good idea.


I still don't understand why not. The only reasons I've seen are
"Because they don't want to" or "because they don't trust PyPI". And
in the latter case I'm assuming they wouldn't use PyPI at all.

And of course, nobody is forcing anyone, just like nobody is forcing
you to use PyPI. :-)


I understood there is the idea to disable external links within a couple
of months. That does break backward compatibility in a considerable way.

holger


But wouldn't this only be a change in pip/easy_install, not PyPI
itself? I suppose you could explicitly break the external links by
having them point to nothing if you are worried about the security or
if it's some performance issue (that would indeed be a bad
compatibility break, in case people are using those for other
purposes). Otherwise, if it's a problem, then just use the old
version of pip.


If we don't remove the feature from pypi itself, then it won't help the
folks for whom its a problem, because there will be no incentive for the
folks hosting their software that way to actually upload their stuff to
PyPI - which means that client-side disabling of external_links is
fairly likely to never be usable.


How would you remove it from PyPI itself? Would that just require
changing some urls, so that pip doesn't know where to find stuff any
more?

Modify the PyPI software to no longer link to those urls.


Right. As I was saying, this would break any other tools that might use
those urls, perhaps for less nefarious purposes. But then again, that's
somewhat speculative. If someone can point out something that uses them,
that will be something to consider, but for now, the main thing we know
uses it is pip (and easy_install), and the whole point is to break them.

Aaron Meurer


Sorry if this is obvious. I'm not a pip/PyPI developer. Just a
package maintainer who has been irked several times by
pip's/PyPI's/easy_install's idiotic external links policy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130227/85cf1822/attachment.html>

More information about the Catalog-SIG mailing list