[Distutils] Python people want CPAN and how the latter came about

Sridhar Ratnakumar sridharr at activestate.com
Fri Dec 25 05:48:16 CET 2009

On 12/23/2009 10:42 PM, Lennart Regebro wrote:
> On Wed, Dec 23, 2009 at 23:28, Sridhar Ratnakumar
> <sridharr at activestate.com>  wrote:
>> I suggested PyPI to disallow mere project listings (without sources) and
>> require sources to be stored in the server.  One way to achieve this is
>> requiring package authors to use the `sdist upload` toolchain
> Which only means the packages who now is not uploaded wouldn't even be
> listed on PyPI, which is not an improvement.

We can do this only for the new projects/uploads. Existing data can be 
left as it is for backwards compatibility. Here's my updated proposal:

[Sridhar's proposal]
>> How do you propose to change that?
> By requiring authors to upload sdists + metadata now onwards.
> 'sdist upload' would upload the sdist to /packages/source and also have PyPI generate the metadata from the uploaded sdist. Eg:
>   /packages/source/f/foo-0.1.tar.gz
>   /packages/source/f/foo-0.1.tar.gz.PKG-INFO
>   /packages/source/f/foo-0.1.tar.gz.requires.txt (optional)
> If the author prefers to use the web browser to upload, then their sdist must contain setup.py and PKG-INFO (w/ at least 'name' and 'version').
> I would leave the existing setup as it is .. so easy_install/pip would continue to install packages like Twisted, ClientCookie that, at the moment, do not have their sdists uploaded in PyPI.


>> While the specific case mentioned above (metadata for a specific or the
>> latest version of a package) uses HTTP GET and XML, generally speaking .. to
>> get a) the list of recently releases, b) list of all versions of a package,
>> one has to use the XmlRpc API methods `changelog` and `package_releases`
>> respectively.
> Well, maybe pure http versions of those would help,

Nope, it matters not whether the metadata can be retrived via a simple 
HTTP GET or XmlRpc.

> but on the other
> hand, if you automate it, why not use xml-rpc?

Because my intention is to have a simple mirror archive (files, 
directories) that can be mirrored using tools like rsync.

>> As often as the mirror sites would update their content (i.e., one or more
>> times a day).
> I meant that most of the third-party apps would only need the
> metadata, or? I might be wrong, I haven't written any yet. :-) The
> automated documentation that was discussed would only need the source
> packages.

Metadata is definitely needed. Otherwise, I'd have to extract the 
tarball of each and every release of a pacticular package, in order to 
even find their version number (it is unreliable to parse the filename 
to get version number).

As for the sdists, the following tools would need it: testing service, 
quality ratings, thirdparty package managers (enstaller, PyPM) .. and 
not to mention the various mirror sites.


More information about the Distutils-SIG mailing list