[Catalog-sig] Deprecate External Links

holger krekel holger at merlinux.eu
Thu Feb 28 10:00:34 CET 2013


On Wed, Feb 27, 2013 at 22:04 +0100, Lennart Regebro wrote:
> On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor <mordred at inaugust.com> wrote:
> >> But wouldn't this only be a change in pip/easy_install, not PyPI
> >> itself? I suppose you could explicitly break the external links by
> >> having them point to nothing if you are worried about the security or
> >> if it's some performance issue (that would indeed be a bad
> >> compatibility break, in case people are using those for other
> >> purposes).  Otherwise, if it's a problem, then just use the old
> >> version of pip.
> >
> > If we don't remove the feature from pypi itself
> 
> It isn't a feature of PyPI. PyPI doesn't require you to upload the
> files to PyPI. For that reason, easy_install and PIP will scrape
> external sites to be able to download the files.
> 
> What we should do is agree that this should stop, and a deprecation
> warning to pip and easy_install and after some pre-determined time
> remove the feature from easy_install and pip.

I suggest to *change defaults* rather than to remove the feature for
the foreseeable future.  Changing defaults is a powerful way to communicate
and one that doesn't leave people totally stranded who are far removed from
discussions and rationales here.

> > folks for whom its a problem, because there will be no incentive for the
> > folks hosting their software that way to actually upload their stuff to
> > PyPI
> 
> Yes there will be: Everyone mailing them to tell them there software
> is broken and can't be installed with easy_install and pip. That's
> going to be very annoying very fast. ;-)

I've mailed several maintainers in the last half year of >1K downloaded
projects to inquire about status, and not received replies.  I wanted
to base work on their projects and of course i refrained from doing that
because of the lack of replies.  To me that means you can have users
mailing maintainers or screaming at maintainers or saying bad words
about maintainers or projects all you want but that doesn't mean it's
going to be fixed.   

To summarize, having pip/easy_install report red warnings and requiring
to pass a "--htmlscrape=PROJ1,PROJ2" option or so is a good way to 
communicate, removing the ability is not, at this point.

best,
holger


More information about the Catalog-SIG mailing list