[Distutils] Immutable Files on PyPI

Donald Stufft donald at stufft.io
Mon Sep 29 16:43:11 CEST 2014 

On September 29, 2014 at 10:41:07 AM, Ian Cordasco (graffatcolmingov at gmail.com) wrote:
On Mon, Sep 29, 2014 at 9:36 AM, Barry Warsaw <barry at python.org> wrote:  
> On Sep 28, 2014, at 07:31 PM, Donald Stufft wrote:  
>  
>>I'd like to discuss the idea of moving PyPI to having immutable files. This  
>>would mean that once you publish a particular file you can never reupload  
>>that file again with different contents. This would still allow deleting the  
>>file or reuploading it if the checksums match what was there prior.  
>  
> Although I have abused this in the past, as others have pointed out, because  
> once uploaded I realize there is a bug in the package. There's a certain  
> class of such bugs that prompt a quick re-upload rather than a version rev,  
> such as some display problem on PyPI (because of package metadata), or some  
> follow on packaging bug, such as a missing MANIFEST.in causing Debian package  
> build to fail. Yes, the latter is more easily checked before upload, but  
> sometimes you feel optimistic. ;)  
>  
> This won't make your lives easier, but I'd like to propose some support for  
> "embargoed" uploads. These would be normal uploads except that they wouldn't  
> be publicly available until a 'publish' button were pushed. Such embargoed  
> uploads wouldn't be subject to the checksum limitation, and we'd have to  
> figure out exactly how such packages would be available (certainly to a logged  
> in owner of the project via the web, but perhaps through an authenticated  
> scriptable interface).  
>  
> Even if you decide against supporting something like this, I'd still be okay  
> with the checksum restriction. You never run out of version numbers.  
>  
> -Barry  

That's essentially what I see as the chief use-case for  
testpypi.python.org. I don't think pypi.python.org needs to support  
this as well. Simple is better than complex after all :)  

Cheers,  
Ian  
_______________________________________________  
Distutils-SIG maillist - Distutils-SIG at python.org  
https://mail.python.org/mailman/listinfo/distutils-sig  

Yea I don’t think PyPI needs anything for this, if someone wants to do it they can use testpypi.python.org, or they can stand up a devpi instance which offers a similar thing plus a lot more for a release process.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140929/b1b0b8fd/attachment.html>

More information about the Distutils-SIG mailing list