[Distutils] Outdated packages on pypi
Dima Tisnek
dimaqq at gmail.com
Wed Jul 13 14:08:20 EDT 2016
I came across a package by accident.
A mate made a reasonable mistake typing in a pip command, and
something odd got installed.
For a moment I even suspected that package in question was some kind
of malware, so I went to download it manually (not via pip install),
and realised that the package was not updated for a long while, didn't
have description and github link was broken.
That overall got me thinking about namespace pollution in pip, that
once something is pushed in, it's like to stay there forever. I
figured, with so many packages in pypi, what's the percentage that
cannot be removed by author for a simple reason that, in the worst
case, author is dead?
Btw., I'm not a fan of domain names (to finicky, change more often
that short names) or unique ids (humans don't handle them well).
I'd rather see something similar to Linux distributions where there's
a curated repository "core" and a few semi-official, like "extra" and
"community," and for some, "testing."
A name foobar resolves to core/foobar-<latest> if that exists, and if
not some subset of other repositories is used.
This way, an outdated package can be moved to another repo without
breaking install base.
In fact, curation without namespaces will already be pretty good.
d.
On 13 July 2016 at 19:24, Jim Fulton <jim at jimfulton.info> wrote:
> On Tue, Jul 12, 2016 at 7:55 AM, Dima Tisnek <dimaqq at gmail.com> wrote:
>> Hi all,
>>
>> Is anyone working on pruning old packages from pypi?
>>
>> I found something last updated in 2014, which, looking at the source
>> appears half-done.
>> Github link doesn't work any longer, no description, etc.
>>
>> I managed to find author's email address out of band, and he responded
>> that he can't remember the password, yada yada.
>>
>> I wonder if some basic automation is possible here -- check if url's
>> are reachable and if existing package satisfies basic requirements,
>> failing that mark it as "possibly out of date"
>
> I'm curious why you view this as a problem that needs to be solved?
>
> - Do you want to take over the name yourself?
>
> - Are you afraid someone will stumble on this package and use it?
>
> Something else?
>
> Jim
>
> --
> Jim Fulton
> http://jimfulton.info
More information about the Distutils-SIG
mailing list