On Thu, Jun 17, 2010 at 13:40, M.-A. Lemburg <[email protected]> wrote:
Patrick Gerken wrote: > > > As a plone user who uses zc.buildout I very much prefer reliable > downloads. > > Its not fun > > to search for the reason a supposedly repeatable buildout suddenly fails > > because > > a company decided to rename itself. > > It is well possible to delete package listings on PyPI. Wouldn't > you rather be informed about this by way of an error report in > zc.buildout than by finding that the package name has changed > a few years later ? > I would prefer to have my buildout to be working. I do not always need the newest versions, and we have cases where customers are working with a specific version of plone where some additional packages made backward incompatible changes that prohibit us from using them for these clients. So yes, I prefer working on a potentially outdated version. During development we check regulary for new versions. We have tools for that. > How about only listing packages with provided source code on the simple > interface? > afaik buildout always uses that, so a package python-openid is visible in > the > end-user view, but not installable via buildout. That way nobody would ever > have had > created a dependency on it in the first place. If such external links are a problem for zc.buildout, why don't > you add an option to zc.buildout that prevents using such > packages ? > Because I consider pypi the root cause of the problem. Not the tools. pip also allows repeatable package sets be defining specific version requirements. Should this then be patched too? This is well possible by checking the /simple index entry > for links to package download files: > > http://pypi.python.org/simple/python-openid/ > > vs. > > http://pypi.python.org/simple/zc.buildout/ > > BTW: what are all those bug links doing on the zc.buildout index page ? > They look a lot like a good possibility for injecting trojans. > I don't know. What about the suggestion to show all packages on pypi but not all on the simple view? I can imagine that having your packages advertised on pypi generates reasonable revenue and I am absolutely not against that. But I am against a pypi index that can not promise to keep its advertised packages available. the simple index view is meant for machines, and I'd perfectly happy if constraints suggested by Andreas would only be applied to that simple index. Best regards, Patrick
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
