[Distutils] PEP470, backward compat is a ...

[Paul Moore]

On 16 May 2014 11:16, holger krekel <holger at merlinux.eu> wrote:
> However, I think PEP470 needs to achieve stronger backward compatibility for
> end-users because, as is typical for the 99%, they like to see change
> but hate to be forced to change themselves.
>
> Allow me to remind of how PEP438 worked in this regard: all
> end users always remained able to install all projects, including those
> with ancient tools and they all benefitted from the changes PEP438
> brought: 90% of the projects were automatically switched to
> "pypi-explicit" mode, speeding up and making more reliable installs for
> everyone across the board.  Let me thank specifically and once
> again our grand tooler Donald here who implemented most of it.
>
> However, PEP470 does not achieve this level of backward compatibility yet.

One possibility that I thought of (but I'm not 100% sure that I
like...) is to add a step to the transition phases where we do a
one-off crawl of all the external links currently on PyPI and put them
into a static index page. We then publish that via PyPI, but *not*
integrated into the main index.

Pip users who want to be able to use external links can opt in by
using ``--find-links https://pypi.python.org/historic-external.html``
which would be essentially a replacement for --allow-all-external[1].
That page would *not* get updated going forward, so active projects
would need to implement a PEP 438 compliant solution for new releases.

This gives equivalent functionality to the current situation for end
users, while still ensuring that projects move forwards.

Paul

[1] Actually, it would need to include unverified links, so it's
closer to the often-requested --allow-all-unverified - this makes it a
step backwards in terms of security, but maybe that would be
acceptable as a stopgap solution. At the cost of more work, we could
have static pages for each project, so users could opt into only the
indexes for the projects they want to trust.