[Distutils] Immutable Files on PyPI

Donald Stufft donald.stufft at RACKSPACE.COM
Sun Sep 28 21:31:31 CEST 2014

Hello All!

I'd like to discuss the idea of moving PyPI to having immutable files. This
would mean that once you publish a particular file you can never reupload that
file again with different contents. This would still allow deleting the file or
reuploading it if the checksums match what was there prior.

This would be good for a few reasons:

* It represents "best practices" for version numbers. Ideally if two people
  have version "2.1" of a project, they'll have the same code, however as it
  stands two people installing at two different times could have two very
  different versions.

* This will make improving the PyPI infrastructure easier, in particular it
  will make it simpler to move away from using a glusterfs storage array and
  switch to a redudant set of cloud object stores.

In the past this was brought up and a few points were brought against it, those

1. That authors could simply change files that were hosted on not PyPI anyways
   so it didn't really do much.

2. That it was too hard to test a release prior to uploading it due to the
   nature of distutils requiring you to build the release in the same command
   as the upload.

With the fact that pip no longer hits external URLs by default, I believe that
the first item is no longer that large of a factor. People can do whatever they
want on external URLs of course, however if something is coming from PyPI as
end users should now be aware of, they can know it is immutable.

Now that there is twine, which allows uploading already created packages, I
also believe that the second item is no longer a concern. People can easily
create a distribution using ``setup.py sdist``, test it, and then upload that
exact thing they tested using ``twine upload <path to sdist>``.

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140928/4d0ce157/attachment.html>

More information about the Distutils-SIG mailing list