[Distutils] RFC 2: PEP 541 - Package Index Name Retention
Chris Rose
offline at offby1.net
Tue Jan 17 12:25:10 EST 2017
PyPi might not be an archaeological site, but like it or not it *is* a key
part of deployment processes, including those that run headless. I'm
referencing vendoring processes, but the same idea applies when your code
is deployed by any process that includes `pip install` in its steps. While
in an ideal world every user of these packages would host an internal
mirror of the packages they need and rigorously vet them, that's not the
world we live in.
I raise the issue because I believe the bar for taking over an abandoned
name should be nigh-insurmountably high; the risks are in my view severe,
given the way software is built today.
On Mon, Jan 16, 2017 at 5:16 PM, Ethan Furman <ethan at stoneleaf.us> wrote:
> On 01/16/2017 02:02 PM, Chris Rose wrote:
>
> That depends on policy. I don't want to go too far down the trap of
>> privileging my specific use case, but as a company that vendors
>> *everything* we depend on, our accesses to PyPi for dependencies are
>> pretty rare, which means we might run afoul of these changes when
>> ingesting packages.
>>
>
> If you have everything vendored then you should be able to easily fall
> back to older versions that you already have available.
>
> Maybe run your own PyPI server internally?
>
> I'm going to ask the pointed question: is there actually any serious
>> value to allowing the replacement of a name for anything that was
>> ever in wide usage?
>>
>
> Possibly not, but with automated downloads to various distributions I
> suspect it becomes very difficult to tell if packages are actually "being
> used".
>
>
> [...] -- why should abandonment result in replacement, as long as
>> the existing code has ever been in use?
>>
>
> Because PyPI is not an archaeological site? Although, having said that,
> perhaps there could be a PyPI/archaeological page for packages that have
> been replaced.
>
> --
> ~Ethan~
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
--
Chris R.
======
Not to be taken literally, internally, or seriously.
Twitter: http://twitter.com/offby1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170117/3e9ec1dc/attachment.html>
More information about the Distutils-SIG
mailing list