[Distutils] PEP 438, pip and --allow-external (was: "pip: cdecimal an externally hosted file and may be unreliable" from python-dev)

Nick Coghlan ncoghlan at gmail.com
Sun May 11 10:50:40 CEST 2014

On 11 May 2014 17:58, "Paul Moore" <p.f.moore at gmail.com> wrote:
> On 11 May 2014 08:38, Nick Coghlan <ncoghlan at gmail.com> wrote:
> > This confusion can likely be resolved by giving the obvious "allow
> > name to the behaviour most users will want, and a more obscure name like
> > "allow verifiable external" to the specialised behaviour folks like
Stefan &
> > MAL rely on.
> I'm struggling to reconcile Donald's assertion (based, I believe, on
> his data from PyPI) that there are only 25 or so packages on PyPI that
> are external but safe, and he's hot familiar with any of them, against
> the comment that Stefan and MAL are affected by this change.

Let me be clear: this is *not* a technical decision from my perspective. It
is a relationship management one, specifically in regards to maintaining
the still fragile delegation of authority from python-dev to PyPA.

We currently have two core developers (Stefan Krah & Marc-Andre Lemburg)
that are *very* unhappy with the way pip is evolving, because they favour
the use of external hosting over uploading their packages to PyPI. While
that is a minority opinion in the Python community at large, it still
represents a significant proportion of the core developers that actually
pay much attention to packaging issues. Regardless of the technical merits
of PEP 438, that disagreement places a strain on the trust relationship
between python-dev & PyPA, the same relationship we rely on as part of
getting proposals like PEP 453 (and hopefully the eventual inclusion of
ensurepip in a 2.7 maintenance release) approved.

Donald's proposal is to take a situation that Stefan and MAL are *already*
unhappy with and make it even *worse*, by making it impossible to opt in to
verifiable external links without also opting in to unverifiable ones.

Even with the PyPI numbers to back it up, the fast time line currently
makes it possible to view that proposal as a fit of pique directed at
Stefan & MAL, rather than as a well considered design decision.

By contrast, keeping the current "allow verifiable external links"
behaviour available as a renamed option prevents that misreading of the
situation: moving the problematic feature aside rather than deleting it
entirely makes it much clearer that the purpose really is the officially
stated one (making things less confusing for most users), and the timing is
largely coincidental, with the python-dev discussion simply acting as a
trigger for people to start seriously discussing ways to improve the
usability of these options.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140511/f2bf1be3/attachment.html>

More information about the Distutils-SIG mailing list