[Distutils] cdecimal licensing/hosting (was: some questions about PEP470)

Ian Cordasco graffatcolmingov at gmail.com
Sun Oct 12 21:26:43 CEST 2014

On Sun, Oct 12, 2014 at 1:44 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:
> Stefan Krah <stefankrah <at> freenet.de> writes:
>> > (for example right now bytereef.org is down, so
>> > we’d not discover any files there).
>> Indeed.  It was up reliably since 2005, down for maintenance on
>> September 23rd (before ShellShock ...).  Then I discovered that
>> someone had put up m3-cdecimal on PyPI (presumably abusing PyPI
>> as their private repo --- there are several m3-* packages now).
>> This triggered some reflection on whether I would make a significant
>> effort in the future to keep things running smoothly for an open source
>> community where authors are largely viewed as expendable.
> I don't know what it means for "authors to be largely viewed as expendable",
> but half the point of hosting things on PyPI is that you *don't* need to do any
> work at all as an author for reliable delivery of your package.
>> Subsequently the downtime (again, the first one since 2005) was picked
>> up for propagandistic purposes on Twitter and Reddit.
> Ok, but you seem to be doing the other side's propaganda. Every single person
> I've spoken to agrees that this just underscores the need to encourage packages
> to be on PyPI.
>> Last year I would have felt an obligation to minimize the downtime
>> to an hour at most.  I no longer feel any such obligations and I'll
>> do it when I have time.
> Ok. The PyPI administrators still feel an obligation to their users, so I'll
> prefer packages under their care.
>> Stefan Krah
> Cheers,
> Alex

Perhaps Stefan's referring to my tweets about the inability to reach
bytereef but those weren't propaganda tweets. Those were tweets born
out of utter frustration. Further, I'm rather shocked that you've
decided to allow the site to remain unreachable because someone did
what your license allowed them to do (redistribute the software while
retaining the required information: copyright, license, etc). If you
think that makes you expendable, you're half right. Users can
redistribute your software, that's the nature of the license you chose
to use. You're wrong because you, the author, are still very valuable
to those very users who may encounter a bug in the future. I don't see
how intentionally keeping your site unreachable does anything but hurt
your users (unless of course you want them to redistribute it
themselves or switch to Python 3.4).

Does this mean that companies using devpi to keep an internal index
that also have copies of cdecimal are somehow violating your rights?
They're doing exactly what your license allows them to do. Or is it
just that some group has decided to redistribute it directly through
PyPI? I'm thoroughly confused here.

More information about the Distutils-SIG mailing list