On 12/23/2009 10:42 PM, Lennart Regebro wrote:
On Wed, Dec 23, 2009 at 23:28, Sridhar Ratnakumar
<sridh...@activestate.com> wrote:
I suggested PyPI to disallow mere project listings (without sources) and
require sources to be stored in the server. One way to achieve this is
requiring package authors to use the `sdist upload` toolchain
Which only means the packages who now is not uploaded wouldn't even be
listed on PyPI, which is not an improvement.
We can do this only for the new projects/uploads. Existing data can be
left as it is for backwards compatibility. Here's my updated proposal:
[Sridhar's proposal]
How do you propose to change that?
By requiring authors to upload sdists + metadata now onwards.
'sdist upload' would upload the sdist to /packages/source and also have PyPI
generate the metadata from the uploaded sdist. Eg:
/packages/source/f/foo-0.1.tar.gz
/packages/source/f/foo-0.1.tar.gz.PKG-INFO
/packages/source/f/foo-0.1.tar.gz.requires.txt (optional)
If the author prefers to use the web browser to upload, then their sdist must
contain setup.py and PKG-INFO (w/ at least 'name' and 'version').
I would leave the existing setup as it is .. so easy_install/pip would continue
to install packages like Twisted, ClientCookie that, at the moment, do not have
their sdists uploaded in PyPI.
...
While the specific case mentioned above (metadata for a specific or the
latest version of a package) uses HTTP GET and XML, generally speaking .. to
get a) the list of recently releases, b) list of all versions of a package,
one has to use the XmlRpc API methods `changelog` and `package_releases`
respectively.
Well, maybe pure http versions of those would help,
Nope, it matters not whether the metadata can be retrived via a simple
HTTP GET or XmlRpc.
but on the other
hand, if you automate it, why not use xml-rpc?
Because my intention is to have a simple mirror archive (files,
directories) that can be mirrored using tools like rsync.
As often as the mirror sites would update their content (i.e., one or more
times a day).
I meant that most of the third-party apps would only need the
metadata, or? I might be wrong, I haven't written any yet. :-) The
automated documentation that was discussed would only need the source
packages.
Metadata is definitely needed. Otherwise, I'd have to extract the
tarball of each and every release of a pacticular package, in order to
even find their version number (it is unreliable to parse the filename
to get version number).
As for the sdists, the following tools would need it: testing service,
quality ratings, thirdparty package managers (enstaller, PyPM) .. and
not to mention the various mirror sites.
-srid
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig
