[Distutils] Reviving PEP 470 - Removing External Hosting support on PyPI

Nick Coghlan ncoghlan at gmail.com
Mon Aug 31 15:32:50 CEST 2015

On 31 August 2015 at 20:59, Wichert Akkerman <wichert at wiggy.net> wrote:
> Sure. My knowledge of rpm is 20 years out of date, so I am going to focus
> the deb/dpkg/apt world only.

For the purposes of this discussion, we can consider the two
ecosystems essentially equivalent. There are differences around what's
builtin and what's a plugin, but the general principles are the same:

* default repos are defined by each distro, not by the tool developers
* source repos and binary repos are separate from each other
* users can add additional repos of both kinds via config files
* config files can also set relative priorities between repos

That last one is the main defence against malicious repos - if you set
your distro repos to a high priority, then third party repos can't
override distro packages, but if you set a particular third party repo
to a high priority then it can override *anything*, not just the
packages you're expecting it to replace.

The key *differences* that are relevant to the current discussion are:

* PyPA are the maintainers of both the default repo *and* the installation tools
* we don't currently have any kind of repo priority mechanism

This is why I think it's important to be clear that we *want* to
improve the off-PyPI hosting experience, as that's something we
consider reasonable for people to want to do, but it's going to take
time and development effort. The question is thus whether it makes
sense to delay significant improvements for the common case (i.e.
hosting on PyPI), while we work on handling the minority case, and I
don't believe it does.

It *may* be worth hacking in special case handling for the packages
already hosted externally, but we can do that as exactly that (i.e. a
special case providing a legacy bridging mechanism until a better
solution is available), rather than as an indefinitely supported


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list