-----BEGIN PGP SIGNED MESSAGE-----
Martijn Faassen wrote:
> On 9/28/07, Tres Seaver <[EMAIL PROTECTED]> wrote:
>> Total effort involved in maintaining the "gated community" then becomes
>> keeping a set of tarballs available at some web-downloadable location,
>> and re-running the script after adding / removing them to regenerate
>> the index.
> How many of these communities are you going to need? Why can't you
> simply maintain a list of exact versions with version numbers to pull
> from the cheeseshop instead?
Because you can't trust that packages will not get removed, or even
re-released under the same version number, on PyPI: not everybody has
the same "package hygeine" ethos.
> This is already possible with the
> versions feature of buildout. I want something where I can maintain
> these lists better for frameworks inside packages, but if you're just
> going to make lists of packages in the end, why mirror? Is this
> because you're using easy_install and you can't use the versions
> feature? Is it because you don't use buildout?
I've been using buildout and its precursors for *years*, and I still
have my "repeatable" builds break on occoasion, e.g.:
- The Postgres guys decide to yank an older package version from
their servers because they've released a newerone.
- Somebody does "repository surgery" in a way which breaks my checkout
(e.g., because Subversion checks the revision number *after*
traversal rather than before).
- Somebody uploads a "fixed" tarball of a relase without bumping
the version number.
In the end, if you want predictable / repeatable deployment, you have to
mirror the sources. The fact that easy_install's '--index-url' feature
makes such a mirror convenient is just a bonus.
Tres Seaver +1 540-429-0999 [EMAIL PROTECTED]
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Zope3-dev mailing list