[Distutils] Immutable Files on PyPI

[Alex Gaynor]

M.-A. Lemburg <mal <at> egenix.com> writes:

> 
> -1.
> 
> It does happen that files need to be reuploaded because of a bug
> in the release process and how people manage their code is really
> *their* business, not that of PyPI.

It's not just the business of the package authors, because as soon as it's
uploaded it's visible to uesrs, and swapping it out from under their feet is a
crummy thing to do.

> 
> FWIW, I am getting increasingly annoyed how PyPI and pip try to dictate
> the way package authors are supposed to build, manage and host their
> Python packages and release process. Can we please stop this ?
> 


I want to specifically reply to this:

Over the past 6-12 months, the quality of my experience using PyPI and PIP has
increased so dramatically, it leaves me wondering how I ever used Python
before. I used to on a regular basis, experience pip randomly hang trying to
spider external stuff, have my downloads silently exposed to MITM attacks via
HTTP, and randomly start getting alphas of packages people uploaded without
realizing that the machinery didn't know about pre-release vs. release
packages.

The changes to pip and PyPI that have resolved these issues, and dozens of
others.

Yes, we've constrained PyPI, but across the board we've almost exclusively
constrained things that are nearly universally agreed to be a bad idea.

To quote Glyph, "Constraints make the medium". PyPI is a medium, a canvas for
us to paint a user experience on. Having it be a simple "index" as it was
originally conceived gives package authors a nearly unlimited ability to create
bad, misleading, and insecure experiences for user. By constraining what the
medium of PyPI is, we make it SO much easier for users and package authors to
be a part of a good eco-system.

So I say: Carry on Donald and others, keep pushing for the only user experience
to be a great one.

+1 on this proposal,
Alex