[Distutils] PEP 470 - Once More, with Feeling

Donald Stufft donald at stufft.io
Mon Oct 13 22:00:08 CEST 2014


> On Oct 13, 2014, at 2:23 PM, Donald Stufft <donald at stufft.io> wrote:
> 
> Alright, here's yet another go at PEP 470.
> 
> See it online at www.python.org/dev/peps/pep-0470/ or reproduced in full down
> below. The diff between this version and the last is available at
> https://hg.python.org/peps/rev/2855fa903e89.
> 
> Important Notes:
> 
> * Continue to use a ``<meta>`` link instead of an href to prevent older
>  installers from silently picking up insecure hosting URLs.
> 
> * Reduce the overall impact by dropping the special case for PIL and instead
>  scan all projects for URLs which add installable files and move them to
>  the new external repository feature.
> 
> * Reduce the overall impact by explicitly stating that PyPI will add the
>  location of any external repository in the UI for people using installers
>  which have not implemented the discovery feature.
> 
> * Explicitly call out the key user experience requirements of a solution to
>  the general problem.
> 
> * Simplify the ``<meta>`` tag a bit, and also add explicit repository vs
>  find-links types as well as include an example of the ``find-links`` type.
> 
> * Allow a project to both host files on PyPI and register external repositories,
>  these can be used for things which cannot be hosted on PyPI such as data
>  files or Linux Wheels while still using PyPI as the repository for "regular"
>  situations.
> 
> * Mandate that the discovery mechanism must exist in a released pip prior to
>  starting the deprecation process (with the exception of ``pypi-only`` for new
>  projects) and call this out using an important admonition.
> 
> * Explicitly call out the fact that 99.5% of the users of the deprecated
>  features are doing so unsafely.
> 
> * Explicitly reject the idea of preserving the existing links indefinentely.
> 
> * Removed all examples which used the ``--extra-index-url`` feature of pip to
>  remove the distraction of the discussion of how that currently works and in
>  what scenarios it's safe or unsafe.
> 
> 
> Compatability:
> 
> I've thought it over and gone back and forth on it to myself and others. I
> cannot justify an attempt to preserve backwards compatability when that
> backwards compatability is almost entirely unsafe to begin with. What I have
> done is remove the special case of PIL and essentially apply that to all
> projects. This should mean that all projects should have the correct metadata
> immediately without any need for interaction by the authors of said projects.
> I've also explicitly included adding the new metadata to the PyPI web UI to
> improve the discoverability for users of installers which don't have the
> discovery features.
> 
> PEP:
> 
> [lots and lots of words]

I forgot to mention, I’ve also added that installers should implement a feature
by which you can white or blacklist specific projects from being installed from
a particular repository.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



More information about the Distutils-SIG mailing list