[python-ldap] older python versions not available anymore

[Jens Vagelpohl]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/10/11 10:50 , Peter Jacobs wrote:
> That way I can be sure that they can run the installation and all
> packages are found, because at anytime that file on pypi may have been
> removed and replaced by a 2.4.1 version...

Yes, this is a real problem. I fear Michael is not conviced yet.

Nowadays large applications are developed by combining many separate
eggs, like Python-LDAP, with custom code. In order to manage such an
application buildout systems have emerged, such as zc.buildout, used by
default in the Zope/Plone-universe and many others. zc.buildout allows
the developer not only to name the specific packages and automate
retrieval, but (and this is the BIG issue) it enables so-called version
pinning. The developer can "pin" specific package versions to make sure
the resulting application is the same whenever and wherever it is
deployed. Version pinning is the only way to guarantee that what has
been tested by the developer and QA people is what's running e.g. on the
customer site.

On the other hand package maintainers would like you to upgrade to the
latest version so they don't get repeated support requests for issues
that have already been fixed in later versions. Michael goes one step
further and removes/disables the older versions on PyPI, which is quite
unusual. I don't know of *any* other package maintainer who does this.
Of course this breaks buildouts that expect to find the old versions on
PyPI.

While - as a package maintainer myself - I really appreciate Michael's
concern about unwarranted support requests I strongly believe the choice
of package version *must* be left to the developer/integrator who put
together the larger application. *Everything* that is uploaded to PyPI
should be treated as an immutable and un-deletable entity, otherwise
build systems that try to guarantee repeatability will never work. This
hurts application developers, integrators, and their customers.

As a package maintainer I don't believe in the ideal case where people
will always upgrade to the latest version, and invalid support requests
will ever cease. Matter of fact, the strategy of disabling older
versions will generate their own stream of support requests. Where's the
gain when instead of saying "upgrade to the latest version and come
back" you now need to explain where the old packages went?

@Michael: Like everyone else on this thread I am asking you: Please do
not remove packages from PyPI. Simply uploading later versions will put
everyone who has not made the conscious decision to stick with a
specific version on your latest release. Those who have made the
conscious decision will know to either not bother you, or they simply
cannot complain when you tell them to, well, "sod off".

jens


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk3x+AMACgkQRAx5nvEhZLJE6gCgrbMcFlG7vtMhPh4JTKX7OPP7
mxIAniXPH8iKw3mfw0TC6y1GaAqILZn1
=IlcQ
-----END PGP SIGNATURE-----