[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

[Ronald Oussoren]

On 11 Mar, 2013, at 10:31, Lennart Regebro <regebro at gmail.com> wrote:

> On Mon, Mar 11, 2013 at 9:33 AM, Ronald Oussoren <ronaldoussoren at mac.com> wrote:
>> 
>> On 11 Mar, 2013, at 9:18, Lennart Regebro <regebro at gmail.com> wrote:
>> 
>>> On Mon, Mar 11, 2013 at 9:06 AM, Ronald Oussoren <ronaldoussoren at mac.com> wrote:
>>>> But this isn't necessarily true, there is another solution: mirror your requirements locally.
>>> 
>>> I do that. This is not a solution, because your requirements yesterday
>>> is not your requirements tomorrow.
>> 
>> So? When your requirements change you change the local mirror.
> 
> How? You can't mirror something that you can't reach.

Now I'm confused. You want to change a dependency without testing it before hand?

I'm probably getting old, but for production software I tend to download and archive
all versions used instead of assuming that all software can at all times easily be
downloaded. 

When I want to update a dependency (new version, new external package)
I first download and test, then add it to the local archive.

Part of the reason for this is that the production site doesn't have a fast always on
internet connection, another part is that the local archive ensures I can reproduce
the exact installation on another server without cloning the first one.

> The only local solution to this is to mirror every file that is
> reachable via PyPI, in advance. That is obviously *not* a feasible
> solution.
> 
>> I guess the only way we will know why some authors don't upload archives to
>> PyPI is to ask (some of) them.
> 
> Right. I don't think it's feasible to discuss speculative reasons, and
> in any case I strongly believe that whatever reason people have, we
> still should not let the Python tools install packages from
> third-party hosts by default.

I don't have problems with installing from 3th-party hosts, as someone noted
earlier some of those 3th-party hosts have very high uptimes themself (github,
bitbucket, ...).   

The current way to get to those 3th-party hosts is hacky and could be changed,
for example by adding a PyPI API for registering download links and other metadata
for specific files (that is, a way to add items to the file list on PyPI that aren't hosted on PyPI).  

I don't know how feasible this would be when packages are signed
using TUF, but it could work with Giovanni's proposal using PGP signatures. 

A problem with adding such an API is that there is no reason to assume that
it would actually be used, using that API would be about as much work as
using the upload API in the first place.

> If you have your own index (like Plone
> currently does, largely because of the problems caused by having
> packages on several different servers) that should of course be
> allowed.
> 
> I have a list of emails already, if somebody wants to ask people. :-)

That won't be me, I don't have enough time available to act upon the results.

Ronald