[Catalog-sig] Deprecate External Links
Daniel Holth
dholth at gmail.com
Wed Feb 27 21:14:51 CET 2013
On Wed, Feb 27, 2013 at 3:08 PM, Aaron Meurer <asmeurer at gmail.com> wrote:
> On Feb 27, 2013, at 1:01 PM, Donald Stufft <donald.stufft at gmail.com> wrote:
>
> On Wednesday, February 27, 2013 at 2:56 PM, Aaron Meurer wrote:
>
> On Wed, Feb 27, 2013 at 12:49 PM, Monty Taylor <mordred at inaugust.com> wrote:
>
>
>
> On 02/27/2013 02:47 PM, Aaron Meurer wrote:
>
> On Wed, Feb 27, 2013 at 11:37 AM, holger krekel <holger at merlinux.eu> wrote:
>
> On Wed, Feb 27, 2013 at 19:34 +0100, Lennart Regebro wrote:
>
> On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>
> I'm not saying that it's not a good idea to host packages on PyPI,
> but forcing the community into doing this is not a good idea.
>
>
> I still don't understand why not. The only reasons I've seen are
> "Because they don't want to" or "because they don't trust PyPI". And
> in the latter case I'm assuming they wouldn't use PyPI at all.
>
> And of course, nobody is forcing anyone, just like nobody is forcing
> you to use PyPI. :-)
>
>
> I understood there is the idea to disable external links within a couple
> of months. That does break backward compatibility in a considerable way.
>
> holger
>
>
> But wouldn't this only be a change in pip/easy_install, not PyPI
> itself? I suppose you could explicitly break the external links by
> having them point to nothing if you are worried about the security or
> if it's some performance issue (that would indeed be a bad
> compatibility break, in case people are using those for other
> purposes). Otherwise, if it's a problem, then just use the old
> version of pip.
>
>
> If we don't remove the feature from pypi itself, then it won't help the
> folks for whom its a problem, because there will be no incentive for the
> folks hosting their software that way to actually upload their stuff to
> PyPI - which means that client-side disabling of external_links is
> fairly likely to never be usable.
>
>
> How would you remove it from PyPI itself? Would that just require
> changing some urls, so that pip doesn't know where to find stuff any
> more?
>
> Modify the PyPI software to no longer link to those urls.
>
>
> Right. As I was saying, this would break any other tools that might use
> those urls, perhaps for less nefarious purposes. But then again, that's
> somewhat speculative. If someone can point out something that uses them,
> that will be something to consider, but for now, the main thing we know uses
> it is pip (and easy_install), and the whole point is to break them.
>
> Aaron Meurer
>
>
> Sorry if this is obvious. I'm not a pip/PyPI developer. Just a
> package maintainer who has been irked several times by
> pip's/PyPI's/easy_install's idiotic external links policy.
Or just expose a new "no external links" API the same as the simple
API (pretty sure crate offers this) that will be the default in the
next release of pip, giving people a little more control over when
their packaging tool breaks.
More information about the Catalog-SIG
mailing list