[Distutils] PEP 470 discussion, part 3
ncoghlan at gmail.com
Thu Jul 24 00:25:38 CEST 2014
On 24 Jul 2014 03:09, "Richard Jones" <r1chardj0n3s at gmail.com> wrote:
> I believe the current PEP addresses the significant usability issues
around this by swapping them for other usability issues. In fact, I believe
it will make matters worse with potential confusion about which index hosts
what, potential masking of release files or even, in the worst scenario,
potential spoofing of release files by indexes out of the control of
Donald covered most points I would have made in his reply, but I do have a
couple of additions specifically on this point:
a) For private indexes, being able to override upstream is a feature, not a
b) Categorically preventing spoofing is what end-to-end signing is for
pip's own existing multiple index support is what makes devpi and its
concept not only of private indexes, but also separate dev, staging and
production indexes, possible.
PEP 470 proposes to make some small enhancements to the multiple index
support in order to allow subsequent deprecation and removal of the
complicated and largely redundant link spidering system.
>From a usability perspective, Ubuntu PPAs (Personal Package Archives, where
users can easily host custom repos on Launchpad) have proved enormously
popular, and Fedora has now adopted a similar model with it's COPR RPM
building and yum repo hosting service. conda also uses channel selection as
a way of determining what packages are available.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Distutils-SIG