[Catalog-sig] V2 pre-PEP: transitioning to release file hosting on PYPI

PJ Eby pje at telecommunity.com
Tue Mar 12 16:53:10 CET 2013


On Tue, Mar 12, 2013 at 7:38 AM, holger krekel <holger at merlinux.eu> wrote:
> In addition, maintainers of installation tools are asked to release
> two updates.  The first one shall provide clear warnings if external
> crawling needs to happen,

A clarification here: "needs to happen" is not well-specified.  An
installer tasked with finding the latest or best-matching version of a
package must currently *always* crawl.  So the warning would be
always.

The strategy I originally chose for making this change in easy_install
is to warn once at the beginning that --allow-hosts has not been set,
and thus packages might be downloaded from anywhere on the internet.

I've since become uncertain that this change is actually workable in
the short term, since until most of the packages are actually moved
onto PyPI, a lot of installs will fail if somebody changes their
configuration to be more secure.  So I'm thinking the warning needs to
be deferred until at least the more popular packages have moved to
PyPI.


> Now, if there is some agreement, i can submit this PEP officially tomorrow,
> and given agreement/refinments from the Pycon folks and the likes of
> Richard, we may be able to get going very shortly after Pycon.

I'd like to suggest that the PEP should be explicit that no other
changes to the /simple generation algorithm are being made, just the
removal or alteration of rel="" attributes.  i.e., it will still be
possible -- at least in the near term -- for projects to include
explicit download links to files made available elsewhere.  Changing
that situation is more controversial and will require wider community
participation than has occurred to date.

It might also be good to suggest that authors of PyPI clones plan
their own phase-out of rel="" attributes.


More information about the Catalog-SIG mailing list