[Distutils] People want CPAN :-)

Tarek Ziadé ziade.tarek at gmail.com
Mon Nov 9 23:42:58 CET 2009 

> I suggest that we check for valid metadata on the uploaded sdists at the least. If you visit
> http://pypm.activestate.com/ - most failed packages are due to the fact the sdist
> uploaded by the author misses certain files such as README.txt (that is read by setup.py)
> or setup.py/PKG-INFO itself.

Unfortunately we can't run arbitrary code on PyPI. So if someone ships
a broken setup.py, there's nothing much we can do unless we are able
to run it in some kind of jail.
Some work was started with Steve Steiner on that topic, but we're
using a buildbot.
It's still experimental because running an arbitrary setup.py can fail
for many reasons.

Another thing: once PEP 345 has the required changes (having metadata
fields with platform conditions) we will be able to do some checks
without having to run any code
for any field located in PKG-INFO

In any case, I am still not convinced that these checks should be
forced on PyPI side when the sdist is uploaded. I see this as a QA
rating, because even if a project's setup.py is great, other things
can be wrong in the project's code itself.

Tarek




On 11/9/09, Sridhar Ratnakumar <sridharr at activestate.com> wrote:
> On Sat, 07 Nov 2009 07:37:37 -0800, Tarek Ziadé <ziade.tarek at gmail.com>
> wrote:
>
>>>
>>> The solution for a better PyPI:
>>>
>>>  - more checks, more restrictions
>>>  - every package maintainer uploading something to PyPI
>>>   should have a certain attitude that PyPI is a public
>>>   resource where the content should met certain
>>>   quality criteria and where each package has
>>>   a certain responsibility to Python community.
>> More checks would be nice, so we can provide QA rates or something
>> similar.
>> I don't think we should enforce any policy whatsoever though at PyPI.
>> We can't force people that upload distributions to
>> comply with some strict QA rules imho (no binary distro allowed if no
>> sdist is present for example).
>
> I suggest that we check for valid metadata on the uploaded sdists at the
> least. If you visit http://pypm.activestate.com/ - most failed packages
> are due to the fact the sdist uploaded by the author misses certain files
> such as README.txt (that is read by setup.py) or setup.py/PKG-INFO itself.
>
> Without such quality policing, I can't see how tools like pip/easy_install
> could even install the package (let alone doing it in an user-friendly
> way).
>
> -srid
>


-- 
Tarek Ziadé | http://ziade.org | オープンソースはすごい! | 开源传万世,因有你参与

More information about the Distutils-SIG mailing list