[Distutils] Immutable Files on PyPI

Chris Jerdonek chris.jerdonek at gmail.com
Sun Sep 28 23:21:11 CEST 2014 

Would this also affect the ability to update the "readme" information
for a version on PyPI (i.e. the information displayed on the default
home page generated by PyPI for the release) once the version has
already been uploaded to PyPI?

There are sometimes issues encountered with the display of that
information that can't easily be checked without doing an actual
version upload.

I haven't recently tried reuploading the metadata for a version,
mainly because of uncertainty around how PyPI would handle it.

Thanks,
--Chris



On Sun, Sep 28, 2014 at 12:31 PM, Donald Stufft
<donald.stufft at rackspace.com> wrote:
> Hello All!
>
> I'd like to discuss the idea of moving PyPI to having immutable files. This
> would mean that once you publish a particular file you can never reupload
> that
> file again with different contents. This would still allow deleting the file
> or
> reuploading it if the checksums match what was there prior.
>
> This would be good for a few reasons:
>
> * It represents "best practices" for version numbers. Ideally if two people
>   have version "2.1" of a project, they'll have the same code, however as it
>   stands two people installing at two different times could have two very
>   different versions.
>
> * This will make improving the PyPI infrastructure easier, in particular it
>   will make it simpler to move away from using a glusterfs storage array and
>   switch to a redudant set of cloud object stores.
>
>
> In the past this was brought up and a few points were brought against it,
> those
> were:
>
> 1. That authors could simply change files that were hosted on not PyPI
> anyways
>    so it didn't really do much.
>
> 2. That it was too hard to test a release prior to uploading it due to the
>    nature of distutils requiring you to build the release in the same
> command
>    as the upload.
>
> With the fact that pip no longer hits external URLs by default, I believe
> that
> the first item is no longer that large of a factor. People can do whatever
> they
> want on external URLs of course, however if something is coming from PyPI as
> end users should now be aware of, they can know it is immutable.
>
> Now that there is twine, which allows uploading already created packages, I
> also believe that the second item is no longer a concern. People can easily
> create a distribution using ``setup.py sdist``, test it, and then upload
> that
> exact thing they tested using ``twine upload <path to sdist>``.
>
> ---
> Donald Stufft
> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>
>
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>

More information about the Distutils-SIG mailing list