[Distutils] PEP 470 discussion, part 3

Donald Stufft donald at stufft.io
Thu Jul 24 17:50:15 CEST 2014 

On July 24, 2014 at 8:23:59 AM, Stefan Krah (stefan at bytereef.org) wrote:
Richard Jones <r1chardj0n3s at gmail.com> wrote: 
> There still remains the usability issue of unsophisticated users running into 
> external indexes and needing to cope with that in one of a myriad of ways as 
> evidenced by the PEP. One solution proposed and refined at the EuroPython 
> gathering today has PyPI caching packages from external indexes *for packages 
> registered with PyPI*. That is: a requirement of registering your package (and 
> external index URL) with PyPI is that you grant PyPI permission to cache 
> packages from your index in the central index - a scenario that is ideal for 
> users. 

-1. That is unlikely to solve the draconian-terms-and-conditions problem 
and one reason to host externally is to get your own download statistics. 
The ToS is not draconian, it is a minimal ToS which allows PyPI to function.

If people want/need additional stats we can add them to PyPI. This is on the TODO list anyways.




> Organisations not wishing to do that understand that they're the ones 
> causing the pain for users. 

No. First, checksummed external packages could be downloaded without asking 
at all. Second, if international authors are required to study US export law 
before uploading, I wonder who is causing the pain. 
With PEP 470 you are not required to study anything nor upload to PyPI, if you wish to host outside of PyPI you simply host an external index, which is as simple as a plain html file with links to the downloadable files.



Finally, how can an author cause pain for users? Without him, the work 
would not be there in the first place. 


I’m not quite sure how to answer this. It’s quite obvious that an author’s choices can cause pain for a user. For example, the author could have an option where if specified it silently deleted the entire filesystem of the user. This would be incredibly painful for the end user (assuming they didn’t want that of course).

Now a project is owned by the author, so they are allowed to choose to do things which cause pain for end users, and end users get to make a choice about whether it’s worth using that project even with the pain incurred from the author’s choices. The reason we don’t download checksummed external packages by default any more is because they *do* represent a choice that causes pain for end users and thus users should be aware they are making that choice.


Stefan Krah 


_______________________________________________ 
Distutils-SIG maillist - Distutils-SIG at python.org 
https://mail.python.org/mailman/listinfo/distutils-sig 


-- 
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140724/3cf4b0b4/attachment-0001.html>

More information about the Distutils-SIG mailing list