[Python-Dev] Yearly PyPI breakage

Glyph glyph at twistedmatrix.com
Wed May 4 03:38:05 EDT 2016 

On May 3, 2016, at 9:15 PM, Stefan Krah <stefan at bytereef.org> wrote:
> 
>> [cut overlong post]
> 
> Glyph,
> 
> nice sneaky way to try to divert from the original issue.

The original issue, as I understood it, at the start of the thread was "which hoops I have to jump through this year in order to keep pip downloads working".  So I showed you the hoops.

Your question implied, to me, that you were not presently aware of how easy it is to simply build and upload your packages with sdist and twine.  After years and years of horrible setuptools bugs, it certainly seemed plausible to me that if you had long-standing experience with python packaging, you might have perhaps developed a well-deserved low opinion of them in the past.  Therefore, you might not be aware of relatively recent improvements to the packaging ecosystem which made this problem trivial to solve.

My intent was, therefore, simply to demonstrate that things have improved, and that this was not a hard thing for you to do and could be resolved with a minimum of fuss.

I confess that before posting I was made aware that you'd had some personality conflicts with some PyPI maintainers in the past.  But that sentence was about the extent and detail level of my understanding.  I was not aware to what extent, and the reason I jumped into this particular thread, when I rarely participate in python-dev, was that I hoped a simple explanation of the facts of the matter from someone you hadn't previously interacted with could address your concerns.

> Your whole post is invalidated by the simple fact that the URL was protected by a hash (which I repeatedly asked to be upgraded to sha256).

Based only on previous discussion here, I had no way to know either of those things.  You didn't reference it in the post I was replying to, or in your original post.  And, as you say later, PyPI's download URL doesn't include the hash any more, so it wasn't there for me to observe.  (There were some manual instructions in your package description but no automated tooling will honor that.)  In any case, fragment hashes are not really a suitable general-purpose mechanism as they are only honored by specific tools (like pip) whereas HTTPS verification ought to be universally supported, so IMHO it is a good thing that PyPI is discouraging their use for this purpose.

> This was the official scheme promoted by PEP-438, which you should know.  But of course your actual intention here is character assassination, pretending to "rescue" cdecimal

In the "overlong" post that you elided, I specifically said I didn't intend to maintain it for long. If this wasn't clear, what I meant to say by that comment was that I would keep the index entry available until you had the opportunity to upload some sdists and wheels yourself to PyPI.  If you don't intend to, I am not the right person to "rescue" the package; someone else who is more invested in cdecimal should provide an alternate PyPI entry, or take over this one.

> and trying to divert from the fact that
> the transition to PEP 470 was handled suboptimally.

I don't see any need to divert attention from this fact, because you appear to be in a minority of one in considering it so.

> The very reason for this thread is that the security was silently disabled WITHOUT me getting a notification.  What is on PyPI *now* is not what I configured!

If that was the reason for the thread, you would have been better served by making that specific complaint rather than asking for information, and then yelling at the people who provided it to you.  You might also consider reporting these issues to an appropriate forum, since python-dev is not the bugtracker for PyPI.  You can find that here: <https://bitbucket.org/pypa/pypi/issues <https://bitbucket.org/pypa/pypi/issues>>.  You might also want to continue this thread on distutils-sig; I'm sorry for contributing to the noise on python-dev, but I thought getting a high-profile package such as cdecimal integrated into the modern packaging ecosystem would be worth the off-topic digression.

> [various spurious and irrelevant ad-hominem attacks redacted]


Perhaps naively, given the level of hostility on display here, I still hope that you might see the wisdom in simply uploading build artifacts to PyPI.  But I won't try to convince you further.

-glyph

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20160504/56d40b9b/attachment.html>

More information about the Python-Dev mailing list