[Catalog-sig] V2 pre-PEP: transitioning to release file hosting on PYPI

holger krekel holger at merlinux.eu
Tue Mar 12 17:33:39 CET 2013 

On Tue, Mar 12, 2013 at 11:53 -0400, PJ Eby wrote:
> On Tue, Mar 12, 2013 at 7:38 AM, holger krekel <holger at merlinux.eu> wrote:
> > In addition, maintainers of installation tools are asked to release
> > two updates.  The first one shall provide clear warnings if external
> > crawling needs to happen,
> 
> A clarification here: "needs to happen" is not well-specified.  An
> installer tasked with finding the latest or best-matching version of a
> package must currently *always* crawl.  So the warning would be
> always.

Not after the initial automatic PYPI transition. For the 90% of the 
packages you wouldn't see the warning then.

> The strategy I originally chose for making this change in easy_install
> is to warn once at the beginning that --allow-hosts has not been set,
> and thus packages might be downloaded from anywhere on the internet.

>From a UI perspective i'd like to see a summary of actually consulted but
non-specified websites (including if it was http or https) at the 
very end of an installers output.  With "non-specified" i mean sites
that weren't specified as an indexserver or allow-host.

> I've since become uncertain that this change is actually workable in
> the short term, since until most of the packages are actually moved
> onto PyPI, a lot of installs will fail if somebody changes their
> configuration to be more secure.  So I'm thinking the warning needs to
> be deferred until at least the more popular packages have moved to
> PyPI.

I think it's fine to wait until after the initial "hosting-mode" transition.

> > Now, if there is some agreement, i can submit this PEP officially tomorrow,
> > and given agreement/refinments from the Pycon folks and the likes of
> > Richard, we may be able to get going very shortly after Pycon.
> 
> I'd like to suggest that the PEP should be explicit that no other
> changes to the /simple generation algorithm are being made, just the
> removal or alteration of rel="" attributes.  i.e., it will still be
> possible -- at least in the near term -- for projects to include
> explicit download links to files made available elsewhere.  Changing
> that situation is more controversial and will require wider community
> participation than has occurred to date.

I kind of agree.  To transition forward , we should leave out the
question of further modifying the "simple/" pages at the moment.
Mentioning that this means you can put "http://PKGNAME-VER.tar.gz" in
your PKGNAME long_description or download_url metadata makes sense.
For that, the installers will give warnings, however, and eventually 
change defaults according to the PEP draft.

> It might also be good to suggest that authors of PyPI clones plan
> their own phase-out of rel="" attributes.

Most alternative servers i've seen don't use the "rel" attribution
but it's good to mention it.

best,
holger

More information about the Catalog-SIG mailing list