[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]

Thu May 8 17:21:27 CEST 2014

On Thu, 08 May 2014 10:37:15 -0400, Donald Stufft <donald at stufft.io> wrote:
> Most users are not going to care up until the point where the external server
> is unavailable, and then they care a whole lot. On the tin it sounds reasonable
> to just download the external file if the server is up however we've done
> that for a long time and the end result has been end user pain.
> 
> Now requiring someone to add a flag in order to download an externally hosted
> file is also end user pain. The difference between the two pains is when they
> happen. The requiring a flag pain happens at the point of decision, when you
> decide to make your deployment depend on something hosted externally. The 
> default to allow pain happens sometime in the future, when you may or may not
> have any idea why suddenly your installs aren't working (and when you look,
> PyPI is up so you're really very confused why this particular file doesn't
> work). Even worse is the case when a project has some old files, but the newer
> versions aren't hosted and suddenly people are getting very old releases which
> is even more confusing to the end users.

Ah, I understand now.

Your perspective is as someone who is using pip for *deployment*.

I'm speaking from a python+plus+pip end-user perspective, which is going
to be even more common now that it is part of the Python distribution.

I'm not sure how you reconcile these two worlds.  I would venture to
suggest that if you are using it for deployment you really ought to
be using a local package repository[*], not the global one; but, as
someone observed, the sensible thing to do and what people actually
do are often very different; and, since I haven't done this particular
kind of deployment scenario in Python myself, there may be reasons
I'm missing.

However, your last mention of "end users" confuses me.  Why are "end
users" getting old packages in a deployment situation?  Isn't it the
developer/operations people (and the latter would, I assume, control
the 'external packages' flag) who would be seeing that?  Maybe you mean
something by deployment different from how I use the word?

--David

[*] I found it *such* a pain to do this for perl/cpan.  I have a
project for a customer where I have to do this, and the hoops I had
to jump through to get a reliable deployment (where packages wouldn't
be unexpectedly upgraded under my feet) were nasty.  (This was several
years ago and I haven't revisited it, so maybe things have gotten better,
or I just missed something.)

I haven't had to do it for python yet, oddly enough, so I don't know
how hard it is for Python.