[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

Tres Seaver tseaver at palladion.com
Mon Mar 11 17:21:02 CET 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/11/2013 02:23 AM, Lennart Regebro wrote:

> The uptime problem is *only* solvable by minimizing the number of 
> hosts involved. The minimum number of hosts is one. That means we 
> should get all releases onto PyPI.

Uptime for *production* use is a red herring here.  Anybody who needs
uptime should be maintaining their own deployment-specific index, or
paying somebody to do that for them.  Period.  Anybody who needs that
kind of uptime *also* needs insulation from other factors which PyPI
project authors can inject into the equation, regardless of PyPIs uptime
(or any external host).

- - Uploading undocumented backward-incompatible changes in third-dot
  releases.

- - Uploading a new feature release which injects new security
  vulnerabilities (think of the Ruby-YAML stuff).

- - Deleting distributions or releases.

- - Re-uploading a *different* tarball over the top of an existing one
  (wihtout bumping the version).

Not to mention the possibility of uploaded trojans / malware when a
developer loses control of his laptop / keys, etc. to a hostile actor.

PyPI's uptime is primarily important for *development* use cases, not for
deployment / operations, and in those cases convenience, safety, and
community building are as important as uptime (consumers of FLOSS don't
have any SLA with the producers).

At a sprint, for instance, it is obnoxious to have a dependency with
external files on a slow or hanging hsot:  it breaks the repeatability of
builds, as well as damaging the velocity of the sprint.  But the
sprinters do *not* have recourse (other than complaining loudly) for such
cases, where they have chosen to rely on PyPI or the external sites for
quick and convenient discovery of those dependencies, instead of going to
the trouble to create a curated index for their own use.



Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlE+BG4ACgkQ+gerLs4ltQ5bpgCgzT12UDoqjsaXTBWS5CYuglkI
n0wAnjl0+b/9RZpaUetSBDPovg9fGY+I
=G56Q
-----END PGP SIGNATURE-----

More information about the Catalog-SIG mailing list