[Distutils] Outdated packages on pypi

Wes Turner wes.turner at gmail.com
Tue Jul 19 03:25:11 EDT 2016 

On Jul 19, 2016 2:37 AM, "Nick Coghlan" <ncoghlan at gmail.com> wrote:
>
> On 18 July 2016 at 02:56, Wes Turner <wes.turner at gmail.com> wrote:
> > If you have an alternate way to represent a graph with JSON, which is
> > indexable as as RDF named graph quads and cryptographically signable
> > irrespective of data ordering or representation format  (RDFa, JSONLD)
with
> > ld-signatures,
> > I'd be interested to hear how said format solves for that problem.
>
> It doesn't, but someone *that isn't PyPI* can still grab the data set,
> throw it into a graph database like Neo4j, calculate the cross
> references, and then republish the result as a publicly available data
> set for the semantic web. That way, the semantic linking won't need to
> be limited just to the Python ecosystem, it will be able to span
> ecosystems, as happens with cases like npm build dependencies (where
> node-gyp is the de facto C extension build toolchain for Node.js, and
> that's written in Python, so NPM dependency analysis needs to be able
> to cross the gap into the Python packaging world) and with frontend
> asset pipelines in Python (where applications often want to bring in
> additional JavaScript dependencies via npm rather than vendoring
> them).
>
> Given that we already have services like libraries.io and
> release-monitoring.org for ecosystem independent tracking of upstream
> releases, they're more appropriate projects to target for the addition
> of semantic linking support to project metadata, as having one or two
> public semantic linking projects like that for the entirety of the
> open source ecosystem would make a lot more sense than each language
> community creating their own independent solutions that would still
> need to be stitched together later.

so, language/packaging-specific subclasses of e.g
http://schema.org/SoftwareApplication and native linked data would reduce
the need for post-hoc parsing and batch-processing.

there are many benefits to being able to JOIN on URIs and version strings
here.

I'll stop now because OT;  the relevant concern here was/is that, if there
are PyPI-maintainer redirects to other packages, that metadata should
probably be signed  (and might as well be JSONLD, because this is a graph
of packages and metadata). And there should be a disclaimer regarding
auto-following said redirects.

Also, --find-links makes it dangerous to include comments with links.

#PEP426JSONLD

>
> Cheers,
> Nick.
>
> --
> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160719/ae1a95cd/attachment.html>

More information about the Distutils-SIG mailing list