On May 9, 2014, at 7:55 AM, Paul Moore <p.f.mo...@gmail.com> wrote: > On 9 May 2014 12:44, Donald Stufft <don...@stufft.io> wrote: >> We still wouldn't be forcing anyone to upload things to PyPI. We are, >> however, >> discouraging people from not hosting on PyPI and providing incentives to >> doing >> that. > > But you're doing so by inflicting pain on people using pip to install > those packages. Those users complain about *pip*, not about the > packages. Better to directly impact the package maintainers, rather > than their users (who are innocent victims). Better still of course to > encourage people to improve things, not to punish them for not doing > so.
We can’t directly impact the package maintainers and the vast bulk of people who have had a problem who have complained about it to pip also need to add the —allow-unverifiable flag and would not simply be able to be fixed by allowing safely externally hosted files. Looking at the numbers and what packages are hosted externally, allowing safely externally hosted files would have practically no benefit to pip’s end users. The only case that I can see with a quick scan would be it would allow the latest version of argparse. TBH I think the biggest source of confusion reduction would be to remove the “safely externally hosted’ category all together and just make it hosted on PyPI -> Install by default, hosted off PyPI -> requires a per package flag. However I’m sure the vocal minority would have a problem with that. > >> I think it's important to point out that one of the driving factors that >> caused >> me to finally push for changes and what lead to PEP438 being created was that >> Mercurial's external hosted was being extremely flaky. I can't remember the >> exact details but I want to say that over the span of a week or two I was >> getting massive numbers of users complaining that ``pip install Mercurial`` >> was suddenly failing. This isn't to knock on the Mercurial folks or anything >> but to simply point out that these problems aren't things that just happen to >> (under|un)maintained software nor are they hypothetical. This PEP was born of >> the frustration that was being relayed to me by end users of PyPI/pip. > > So now "pip install Mercurial" always fails? And adding a flag allows > it to work as well as before, but no better? How did that fix the > issue? Seriously - I'm missing something here. No, This caused Mercurial to upload their packages to PyPI. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
