[Distutils] Immutable Files on PyPI

[Donald Stufft]

On Sep 29, 2014, at 6:01 AM, Nick Coghlan <ncoghlan at gmail.com<mailto:ncoghlan at gmail.com>> wrote:


On 29 Sep 2014 19:50, "Nick Coghlan" <ncoghlan at gmail.com<mailto:ncoghlan at gmail.com>> wrote:
>
>
> On 29 Sep 2014 19:04, "M.-A. Lemburg" <mal at egenix.com<mailto:mal at egenix.com>> wrote:
> >
> > Do you seriously want to force package authors to cut a new release
> > just because a single uploaded distribution file is broken for
> > some reason and then ask all users who have already installed one
> > of the non-broken ones to upgrade again, even though they are not
> > affected ?
>
> Yes, I do. Silently changing released artefacts is actively user hostile. It breaks mirroring, it breaks redistribution, it breaks security audits, and it can even break installation for security conscious users that are using peep rather than pip.

One caveat on this: it would potentially be convenient to have a "release" field in the wheel naming scheme, and adopt a similar approach for other binary formats like Windows installers, specifically to allow those to be updated without needing to do a full source version update.

It's the silent substitution of file contents I have a fundamental problem with, not the notion of being able to publish an updated platform specific build artefact without having to bump the source release version.

Wheel files already include the idea of a build number baked into the filename. That would be
a different filename and thus would be allowed to be uploaded even if you deleted the original
Wheel. Is there something about that which wouldn’t work or did it just slip your mind?

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140929/738a3858/attachment.html>