[Distutils] PEP 470 - Once More, with Feeling
donald at stufft.io
Mon Oct 13 22:00:08 CEST 2014
> On Oct 13, 2014, at 2:23 PM, Donald Stufft <donald at stufft.io> wrote:
> Alright, here's yet another go at PEP 470.
> See it online at www.python.org/dev/peps/pep-0470/ or reproduced in full down
> below. The diff between this version and the last is available at
> Important Notes:
> * Continue to use a ``<meta>`` link instead of an href to prevent older
> installers from silently picking up insecure hosting URLs.
> * Reduce the overall impact by dropping the special case for PIL and instead
> scan all projects for URLs which add installable files and move them to
> the new external repository feature.
> * Reduce the overall impact by explicitly stating that PyPI will add the
> location of any external repository in the UI for people using installers
> which have not implemented the discovery feature.
> * Explicitly call out the key user experience requirements of a solution to
> the general problem.
> * Simplify the ``<meta>`` tag a bit, and also add explicit repository vs
> find-links types as well as include an example of the ``find-links`` type.
> * Allow a project to both host files on PyPI and register external repositories,
> these can be used for things which cannot be hosted on PyPI such as data
> files or Linux Wheels while still using PyPI as the repository for "regular"
> * Mandate that the discovery mechanism must exist in a released pip prior to
> starting the deprecation process (with the exception of ``pypi-only`` for new
> projects) and call this out using an important admonition.
> * Explicitly call out the fact that 99.5% of the users of the deprecated
> features are doing so unsafely.
> * Explicitly reject the idea of preserving the existing links indefinentely.
> * Removed all examples which used the ``--extra-index-url`` feature of pip to
> remove the distraction of the discussion of how that currently works and in
> what scenarios it's safe or unsafe.
> I've thought it over and gone back and forth on it to myself and others. I
> cannot justify an attempt to preserve backwards compatability when that
> backwards compatability is almost entirely unsafe to begin with. What I have
> done is remove the special case of PIL and essentially apply that to all
> projects. This should mean that all projects should have the correct metadata
> immediately without any need for interaction by the authors of said projects.
> I've also explicitly included adding the new metadata to the PyPI web UI to
> improve the discoverability for users of installers which don't have the
> discovery features.
> [lots and lots of words]
I forgot to mention, I’ve also added that installers should implement a feature
by which you can white or blacklist specific projects from being installed from
a particular repository.
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
More information about the Distutils-SIG