Re: [Distutils] PEP for specifying build dependencies

2016-05-12 Thread Nick Coghlan
On 13 May 2016 at 02:33, Brett Cannon wrote: > Both Donald and Nathaniel say to drop it, and since I put it in just to be > overly cautious I'm fine with dropping it. So unless Nick says > "semantics-version or death!", I agree w/ my co-authors and would update the > PEP to say:

[Distutils] Does pip Honour "Obsoletes"?

2016-05-12 Thread Phil Thompson
I may be doing something wrong, but... The METADATA in my wheel uses Obsoletes but pip does not remove the obsoleted package on an install of my wheel. Is it supposed to? Thanks, Phil ___ Distutils-SIG maillist - Distutils-SIG@python.org

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Barry Warsaw
On May 12, 2016, at 04:34 PM, Donald Stufft wrote: >So my response to this is, let's pretend for a minute that we have the >greatest and most amazing setup for verifying that the key 0x6E3CBCE93372DCFA >belongs to me. What's your next step? How do you verify that I'm allowed to >release for pip?

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Nathaniel Smith
On May 12, 2016 4:41 AM, "Donald Stufft" wrote: > [...] > All in all, I think that there is not a whole lot of point to having this > feature in PyPI, it is predicated a bunch of invalid assumptions (as detailed > above) and I do not believe end users are actually even using the

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Barry Warsaw
On May 12, 2016, at 07:41 AM, Donald Stufft wrote: >I am aware of a single tool anywhere that actively supports verifying the >signatures that people upload to PyPI, and that is Debian's uscan >program. Even in that case the people writing the Debian watch file have to >hardcode in a signing key

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Jeremy Stanley
On 2016-05-12 07:41:21 -0400 (-0400), Donald Stufft wrote: [...] > What do folks think? Would anyone be particularly against getting > rid of the GPG support in PyPI? We have plans[*] in the OpenStack community to start autosigning our sdist and wheel builds (and similar release artifacts we

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Donald Stufft
> On May 12, 2016, at 8:56 AM, Nick Coghlan wrote: > > On 12 May 2016 at 21:41, Donald Stufft wrote: >> Thus, I would like to remove this feature from PyPI (but not from PEP 503, if >> other repositories want to continue to support it they are free to).

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Nick Coghlan
On 12 May 2016 at 21:41, Donald Stufft wrote: > Thus, I would like to remove this feature from PyPI (but not from PEP 503, if > other repositories want to continue to support it they are free to). Doing > this > would allow simplifying code we have in Warehouse anyplace we

Re: [Distutils] PEP for specifying build dependencies

2016-05-12 Thread Donald Stufft
> On May 12, 2016, at 8:31 AM, Nick Coghlan wrote: > > We could also keep semantics-version, and just put it inside [build-system]. > > Either way, by allowing access to the [tool.*] namespace without any > other version check, the key constraint we're placing on ourselves

Re: [Distutils] PEP for specifying build dependencies

2016-05-12 Thread Nick Coghlan
On 12 May 2016 at 19:07, Nathaniel Smith wrote: > When we were spitballing the draft, I think where [package] originally > came from was the idea that having semantics-version at the top level > is not actually useful -- most tools will only care about the > semantics of the

Re: [Distutils] PEP for specifying build dependencies

2016-05-12 Thread Xavier Fernandez
I'm not sure that is an issue: if the version is bumped, this won't happen overnight. Why would projects/tools not have the time to update and support semantic-version 1 and 2 ? On Thu, May 12, 2016 at 11:07 AM, Nathaniel Smith wrote: > On Thu, May 12, 2016 at 12:01 AM, Nick

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Donald Stufft
> On May 12, 2016, at 8:05 AM, Paul Moore wrote: > > On 12 May 2016 at 12:41, Donald Stufft wrote: >> What do folks think? Would anyone be particularly against getting rid of the >> GPG support in PyPI? > > 28K projects is too many to do a mailshot, but

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Paul Moore
On 12 May 2016 at 12:41, Donald Stufft wrote: > What do folks think? Would anyone be particularly against getting rid of the > GPG support in PyPI? 28K projects is too many to do a mailshot, but would it be worth asking this question more widely than on distutils-sig? Just "Do

[Distutils] PyPI and GPG Signatures

2016-05-12 Thread Donald Stufft
Currently, PyPI allows you to upload a GPG signature along with your package file as well as associate a GPG Short ID with your user. Theoretically this allows end users to not trust PyPI and instead validate end to end signatures from the original author. I've written [1] previously about

Re: [Distutils] comparison of configuration languages

2016-05-12 Thread Donald Stufft
> On May 12, 2016, at 3:20 AM, Nick Coghlan wrote: > > On 11 May 2016 at 15:47, Greg Ewing wrote: >> Having looked over the TOML spec, I like the simplicity >> of it (and I cringe from the complexity of YAML). >> The only thing I don't like

Re: [Distutils] PEP for specifying build dependencies

2016-05-12 Thread Paul Moore
On 12 May 2016 at 10:07, Nathaniel Smith wrote: > ...Given how complicated this is ending up being, I'm sorta inclined > to just drop semantics-version. It's only in there as a "hey why not > it doesn't hurt" thing. I can't imagine any situation in which we'd > actually bump the

Re: [Distutils] PEP for specifying build dependencies

2016-05-12 Thread Nathaniel Smith
On Thu, May 12, 2016 at 12:01 AM, Nick Coghlan wrote: > On 12 May 2016 at 11:33, Donald Stufft wrote: >> I don't really think of it as package vs tool, I think of it as an implicit >> vs an explicit . I think it makes the >> file >> uglier to have the

Re: [Distutils] PEP for specifying build dependencies

2016-05-12 Thread Xavier Fernandez
Thanks for your work ! For what it's worth, I also think that: - semantics-version (or maybe pyproject-version ? to mimic the Wheel-Version of the WHEEL file) should be a top level value; - [build-system] requires = ["setuptools", "wheel"] reads nicely and better than [package.build-system]

Re: [Distutils] comparison of configuration languages

2016-05-12 Thread Nick Coghlan
On 11 May 2016 at 15:47, Greg Ewing wrote: > Having looked over the TOML spec, I like the simplicity > of it (and I cringe from the complexity of YAML). > The only thing I don't like about TOML is the way it > cops out on nesting. > > The only reason it does that as

Re: [Distutils] PEP for specifying build dependencies

2016-05-12 Thread Nick Coghlan
On 12 May 2016 at 11:33, Donald Stufft wrote: > I don't really think of it as package vs tool, I think of it as an implicit > vs an explicit . I think it makes the > file > uglier to have the explicit, particularly since I think the > example should really be something like: >

Re: [Distutils] PEP for specifying build dependencies

2016-05-12 Thread Nick Coghlan
On 12 May 2016 at 00:26, Antoine Pitrou wrote: > On Thu, 12 May 2016 00:20:32 +1000 > Nick Coghlan wrote: >> >> When I say "build system configuration" in the context of >> distutils/setuptools, I mean things like: >> >> * MANIFEST.in >> * non-dependency