[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]

Donald Stufft donald at stufft.io
Fri May 9 14:06:19 CEST 2014 

On May 9, 2014, at 7:55 AM, Paul Moore <p.f.moore at gmail.com> wrote:

> On 9 May 2014 12:44, Donald Stufft <donald at stufft.io> wrote:
>> We still wouldn't be forcing anyone to upload things to PyPI. We are, however,
>> discouraging people from not hosting on PyPI and providing incentives to doing
>> that.
> 
> But you're doing so by inflicting pain on people using pip to install
> those packages. Those users complain about *pip*, not about the
> packages. Better to directly impact the package maintainers, rather
> than their users (who are innocent victims). Better still of course to
> encourage people to improve things, not to punish them for not doing
> so.

We can’t directly impact the package maintainers and the vast bulk of people
who have had a problem who have complained about it to pip also need to
add the —allow-unverifiable flag and would not simply be able to be fixed
by allowing safely externally hosted files.

Looking at the numbers and what packages are hosted externally, allowing
safely externally hosted files would have practically no benefit to pip’s end users.
The only case that I can see with a quick scan would be it would allow the latest
version of argparse.

TBH I think the biggest source of confusion reduction would be to remove the
“safely externally hosted’ category all together and just make it hosted on
PyPI -> Install by default, hosted off PyPI -> requires a per package flag. However
I’m sure the vocal minority would have a problem with that.

> 
>> I think it's important to point out that one of the driving factors that caused
>> me to finally push for changes and what lead to PEP438 being created was that
>> Mercurial's external hosted was being extremely flaky. I can't remember the
>> exact details but I want to say that over the span of a week or two I was
>> getting massive numbers of users complaining that ``pip install Mercurial``
>> was suddenly failing. This isn't to knock on the Mercurial folks or anything
>> but to simply point out that these problems aren't things that just happen to
>> (under|un)maintained software nor are they hypothetical. This PEP was born of
>> the frustration that was being relayed to me by end users of PyPI/pip.
> 
> So now "pip install Mercurial" always fails? And adding a flag allows
> it to work as well as before, but no better? How did that fix the
> issue? Seriously - I'm missing something here.

No, This caused Mercurial to upload their packages to PyPI.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140509/52edd213/attachment.sig>

More information about the Python-Dev mailing list