What is the point of pythonpackages.com?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
48 messages Options
123
Reply | Threaded
Open this post in threaded view
|

What is the point of pythonpackages.com?

Stefan Krah-2
Hello,

I wonder what the point of a site like pythonpackages.com is. For my
package (cdecimal) it spreads misinformation on two counts:

  1) The number of downloads cannot be established since cdecimal
     is not hosted on PyPI.

  2) "Now supports Python 3!" is false since cdecimal has supported
     Python3 from the very beginning.


Otherwise it displays Google ads and the same information as PyPI,
only in a less readable manner.


Stefan Krah



_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Kai Diefenbach-2
Hi,

On 2012-02-04 19:40:54 +0000, Stefan Krah said:

>   1) The number of downloads cannot be established since cdecimal
>      is not hosted on PyPI.

Why not? Packages, which are not hosted on PyPi suck.

Kai


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Terry Reedy
On 2/5/2012 8:37 AM, Kai Diefenbach wrote:
> Why not? Packages, which are not hosted on PyPi suck.

This is a technical discussion list, not a flame list.
That comment is both wrong and unhelpful.

--
Terry Jan Reedy

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Alex Clark
In reply to this post by Stefan Krah-2
Hi Stefan,

On 2/4/12 2:40 PM, Stefan Krah wrote:
> Hello,
>
> I wonder what the point of a site like pythonpackages.com is. For my
> package (cdecimal)

I think the following explanation applies to all Python packages:

- http://pythonpackages.com/about#why

Download count is important, but it's certainly not the only criteria
one can use to evaluate a package.

> it spreads misinformation on two counts:
>
>    1) The number of downloads cannot be established since cdecimal
>       is not hosted on PyPI.

pythonpackages.com considers this to be "zero downloads". if there was
an API for off-site downloads to report back to PyPI then maybe we could
use it to report those statistics on pythonpackages.com. AFAIK there is
currently no such thing. (I used to have a tool tip in place that
explained this; I'll put it back ASAP. crate.io has something similar in
place IIRC.)


>
>    2) "Now supports Python 3!" is false since cdecimal has supported
>       Python3 from the very beginning.


Fair enough, I changed the message to "Supports Python 3". Is that
better? FWIW there is an issue tracker here for this sort of thing:

- https://bitbucket.org/pythonpackages/pythonpackages.com/issues


>
>
> Otherwise it displays Google ads


 >>> True


> and the same information as PyPI,
> only in a less readable manner.

This is subjective, so I can't really offer an intelligent reply (though
I can tell you that I know people typically either love or hate Twitter
bootstrap; personally, I like it "enough".)


Alex




>
>
> Stefan Krah


--
Alex Clark · http://pythonpackages.com

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

PJ Eby-2


On Feb 5, 2012 1:48 PM, "Alex Clark" <[hidden email]> wrote:
> pythonpackages.com considers this to be "zero downloads". if there was an API for off-site downloads to report back to PyPI then maybe we could use it to report those statistics on pythonpackages.com. AFAIK there is currently no such thing. (I used to have a tool tip in place that explained this; I'll put it back ASAP. crate.io has something similar in place IIRC.)

Perhaps instead of zero with a tooltip, you could just say "N/A" for releases that don't list any files -- or just exclude the download line altogether.

You do, after all, know whether a release has any files from its PyPI data, so you do know the difference between "zero downloads" and "unknown downloads".


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Alex Clark
On 2/5/12 7:01 PM, PJ Eby wrote:

>
> On Feb 5, 2012 1:48 PM, "Alex Clark" <[hidden email]
> <mailto:[hidden email]>> wrote:
>  > pythonpackages.com <http://pythonpackages.com> considers this to be
> "zero downloads". if there was an API for off-site downloads to report
> back to PyPI then maybe we could use it to report those statistics on
> pythonpackages.com <http://pythonpackages.com>. AFAIK there is currently
> no such thing. (I used to have a tool tip in place that explained this;
> I'll put it back ASAP. crate.io <http://crate.io> has something similar
> in place IIRC.)
>
> Perhaps instead of zero with a tooltip, you could just say "N/A" for
> releases that don't list any files -- or just exclude the download line
> altogether.

Done, e.g. http://pythonpackages.com/info/cdecimal


>
> You do, after all, know whether a release has any files from its PyPI
> data, so you do know the difference between "zero downloads" and
> "unknown downloads".


Well, it's a package that exists for which the API reports zero
downloads. That means either there has been no release yet, or the
package does not host its releases on PyPI, IIUC.


Alex


>
>
>
> _______________________________________________
> Catalog-SIG mailing list
> [hidden email]
> http://mail.python.org/mailman/listinfo/catalog-sig


--
Alex Clark · http://pythonpackages.com

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Martijn Faassen-2
In reply to this post by Terry Reedy
On 02/05/2012 07:12 PM, Terry Reedy wrote:
> On 2/5/2012 8:37 AM, Kai Diefenbach wrote:
>> Why not? Packages, which are not hosted on PyPi suck.
>
> This is a technical discussion list, not a flame list.
> That comment is both wrong and unhelpful.

'suck' is not the right way to express the problem, and it's the
original poster's choice to host somewhere else, but it can indeed be
inconvenient to quite a few users of PyPI if a package is not hosted on
PyPI.

This because setuptools (and thus, easy_install, pip, buildout) for
better or for worse uses a "trawl the web" approach to find download
links, and multiple sites to download from create multiple potential
points of failure besides PyPI itself.

This makes setuptools work for a range of cases and that's nice, but
it's also a drawback, because on a fairly regular basis I at least have
had the issue that a package wasn't hosted on PyPI and that the site
hosting the package was suddenly down or had changed, breaking the
setuptools-based automatic download. If the package were hosted on PyPI
I wouldn't have had this issue, as PyPI itself is actually tolerably
reliable (especially with mirroring in place; but these external
packages are also not mirrored).

Of course the response I'll undoubtedly get is that I should host these
packages myself or include them in my version control system and all
that. And yes, I can do this, and sometimes I do. But doing that is in
this subjective user's opinion actually an inconvenience. Any 'pip' user
that installs a package from PyPI that has dependencies listed in
setup.py can run into this problem.

So the original poster could at least consider uploading their package
on PyPI to lessen his complaint. Besides the web UI, they'll find handy
tools available to help automate things, such as 'setup.py sdist upload'
and for more power, zest.releaser. But of course they can choose not to
do so at all too - that's the way things work [1].

Regards,

Martijn

[1] I suspect an alternate timeline in which setuptools had never done
this web trawling and would only download from PyPI would have lead to a
more pleasant situation for users, though I'm not sure: setuptools being
able to download dependencies might've retarded adoption of setuptools
instead.

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Daniel Greenfeld
On Mon, Feb 6, 2012 at 7:32 AM, Martijn Faassen <[hidden email]> wrote:

> This because setuptools (and thus, easy_install, pip, buildout) for better
> or for worse uses a "trawl the web" approach to find download links, and
> multiple sites to download from create multiple potential points of failure
> besides PyPI itself.
>
> This makes setuptools work for a range of cases and that's nice, but it's
> also a drawback, because on a fairly regular basis I at least have had the
> issue that a package wasn't hosted on PyPI and that the site hosting the
> package was suddenly down or had changed, breaking the setuptools-based
> automatic download. If the package were hosted on PyPI I wouldn't have had
> this issue, as PyPI itself is actually tolerably reliable (especially with
> mirroring in place; but these external packages are also not mirrored).
>
> Of course the response I'll undoubtedly get is that I should host these
> packages myself or include them in my version control system and all that.
> And yes, I can do this, and sometimes I do. But doing that is in this
> subjective user's opinion actually an inconvenience. Any 'pip' user that
> installs a package from PyPI that has dependencies listed in setup.py can
> run into this problem.
>
> So the original poster could at least consider uploading their package on
> PyPI to lessen his complaint. Besides the web UI, they'll find handy tools
> available to help automate things, such as 'setup.py sdist upload' and for
> more power, zest.releaser. But of course they can choose not to do so at all
> too - that's the way things work [1].
>
> Regards,
>
> Martijn
>
> [1] I suspect an alternate timeline in which setuptools had never done this
> web trawling and would only download from PyPI would have lead to a more
> pleasant situation for users, though I'm not sure: setuptools being able to
> download dependencies might've retarded adoption of setuptools instead.

I agree 100% with Martijn. Maybe there was a time when hosting your
package off of PyPI was a good idea. I think if that time existed, it
has now passed. Normally I prefer giving package authors more control,
but this is one of those places where the users of the service ought
to be able to expect packages to all be found in one location.

--
'Knowledge is Power'
Daniel Greenfeld
http://pydanny.blogspot.com
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Alex Clark
Hi

On 2/6/12 11:15 AM, Daniel Greenfeld wrote:

> On Mon, Feb 6, 2012 at 7:32 AM, Martijn Faassen<[hidden email]>  wrote:
>
>> This because setuptools (and thus, easy_install, pip, buildout) for better
>> or for worse uses a "trawl the web" approach to find download links, and
>> multiple sites to download from create multiple potential points of failure
>> besides PyPI itself.
>>
>> This makes setuptools work for a range of cases and that's nice, but it's
>> also a drawback, because on a fairly regular basis I at least have had the
>> issue that a package wasn't hosted on PyPI and that the site hosting the
>> package was suddenly down or had changed, breaking the setuptools-based
>> automatic download. If the package were hosted on PyPI I wouldn't have had
>> this issue, as PyPI itself is actually tolerably reliable (especially with
>> mirroring in place; but these external packages are also not mirrored).
>>
>> Of course the response I'll undoubtedly get is that I should host these
>> packages myself or include them in my version control system and all that.
>> And yes, I can do this, and sometimes I do. But doing that is in this
>> subjective user's opinion actually an inconvenience. Any 'pip' user that
>> installs a package from PyPI that has dependencies listed in setup.py can
>> run into this problem.
>>
>> So the original poster could at least consider uploading their package on
>> PyPI to lessen his complaint. Besides the web UI, they'll find handy tools
>> available to help automate things, such as 'setup.py sdist upload' and for
>> more power, zest.releaser. But of course they can choose not to do so at all
>> too - that's the way things work [1].
>>
>> Regards,
>>
>> Martijn
>>
>> [1] I suspect an alternate timeline in which setuptools had never done this
>> web trawling and would only download from PyPI would have lead to a more
>> pleasant situation for users, though I'm not sure: setuptools being able to
>> download dependencies might've retarded adoption of setuptools instead.
>
> I agree 100% with Martijn. Maybe there was a time when hosting your
> package off of PyPI was a good idea. I think if that time existed, it
> has now passed. Normally I prefer giving package authors more control,
> but this is one of those places where the users of the service ought
> to be able to expect packages to all be found in one location.


+1. And if you want to host your packages off-site I think that is
perfectly reasonable. But it would make everyone's life easier if we
knew that: for every release of a Python package on earth, there is a
corresponding package on PyPI.

E.g. In Plone-land we currently encourage dual-releasing to both PyPI
and plone.org/products. This has several benefits:

0. Easy content creation. Having nice product pages for our add-ons is a
marketing win.

1. Everyone that runs buildout to install Plone can rely on packages
being found on PyPI.

2. If PyPI goes down, those folks can use an official PyPI mirror to
install the same set of packages[1]

3. If PyPI goes down, those folks can use plone.org/products[2] to
install any packages released to plone.org/products.

There is also some disadvantage:

1. Folks rarely take advantage of #3. So I think in the future we may
consider replacing plone.org/products with a full PyPI mirror and simply
rely on mirroring instead of dual-releasing.

2. Folks sometimes don't dual-release. Implementing the change suggested
in #1 of this list would fix that.


Alex


[1] In theory. I understand there has been some concern about the
stability/integrity of some mirrors lately.


[2] http://dist.plone.org/packages/


>


--
Alex Clark · http://pythonpackages.com

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Donald Stufft
A big +1 to hosting everything on PyPI

On Monday, February 6, 2012 at 12:13 PM, Alex Clark wrote:

Hi

On 2/6/12 11:15 AM, Daniel Greenfeld wrote:
On Mon, Feb 6, 2012 at 7:32 AM, Martijn Faassen<[hidden email]> wrote:

This because setuptools (and thus, easy_install, pip, buildout) for better
or for worse uses a "trawl the web" approach to find download links, and
multiple sites to download from create multiple potential points of failure
besides PyPI itself.

This makes setuptools work for a range of cases and that's nice, but it's
also a drawback, because on a fairly regular basis I at least have had the
issue that a package wasn't hosted on PyPI and that the site hosting the
package was suddenly down or had changed, breaking the setuptools-based
automatic download. If the package were hosted on PyPI I wouldn't have had
this issue, as PyPI itself is actually tolerably reliable (especially with
mirroring in place; but these external packages are also not mirrored).

Of course the response I'll undoubtedly get is that I should host these
packages myself or include them in my version control system and all that.
And yes, I can do this, and sometimes I do. But doing that is in this
subjective user's opinion actually an inconvenience. Any 'pip' user that
installs a package from PyPI that has dependencies listed in setup.py can
run into this problem.

So the original poster could at least consider uploading their package on
PyPI to lessen his complaint. Besides the web UI, they'll find handy tools
available to help automate things, such as 'setup.py sdist upload' and for
more power, zest.releaser. But of course they can choose not to do so at all
too - that's the way things work [1].

Regards,

Martijn

[1] I suspect an alternate timeline in which setuptools had never done this
web trawling and would only download from PyPI would have lead to a more
pleasant situation for users, though I'm not sure: setuptools being able to
download dependencies might've retarded adoption of setuptools instead.

I agree 100% with Martijn. Maybe there was a time when hosting your
package off of PyPI was a good idea. I think if that time existed, it
has now passed. Normally I prefer giving package authors more control,
but this is one of those places where the users of the service ought
to be able to expect packages to all be found in one location.


+1. And if you want to host your packages off-site I think that is
perfectly reasonable. But it would make everyone's life easier if we
knew that: for every release of a Python package on earth, there is a
corresponding package on PyPI.

E.g. In Plone-land we currently encourage dual-releasing to both PyPI
and plone.org/products. This has several benefits:

0. Easy content creation. Having nice product pages for our add-ons is a
marketing win.

1. Everyone that runs buildout to install Plone can rely on packages
being found on PyPI.

2. If PyPI goes down, those folks can use an official PyPI mirror to
install the same set of packages[1]

3. If PyPI goes down, those folks can use <a href="http://plone.org/products[2]">plone.org/products[2] to
install any packages released to plone.org/products.

There is also some disadvantage:

1. Folks rarely take advantage of #3. So I think in the future we may
consider replacing plone.org/products with a full PyPI mirror and simply
rely on mirroring instead of dual-releasing.

2. Folks sometimes don't dual-release. Implementing the change suggested
in #1 of this list would fix that.


Alex


[1] In theory. I understand there has been some concern about the
stability/integrity of some mirrors lately.






--

_______________________________________________
Catalog-SIG mailing list


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Stefan Krah-2
In reply to this post by Martijn Faassen-2
Martijn Faassen <[hidden email]> wrote:
> original poster's choice to host somewhere else, but it can indeed be  
> inconvenient to quite a few users of PyPI if a package is not hosted on  
> PyPI.

I don't see any inconvenience since bytereef.org has a comparable
uptime to python.org.

I've listed my reasons for not hosting on PyPI earlier here:

http://mail.python.org/pipermail/catalog-sig/2011-May/003746.html


Stefan Krah


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Stefan Krah-2
In reply to this post by Alex Clark
Alex Clark <[hidden email]> wrote:
>> Perhaps instead of zero with a tooltip, you could just say "N/A" for
>> releases that don't list any files -- or just exclude the download line
>> altogether.
>
> Done, e.g. http://pythonpackages.com/info/cdecimal

Thanks, that is more informative.


Stefan Krah


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Andreas Jung-5
In reply to this post by Stefan Krah-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Stefan Krah wrote:
> Martijn Faassen <[hidden email]> wrote:
>> original poster's choice to host somewhere else, but it can indeed
>> be inconvenient to quite a few users of PyPI if a package is not
>> hosted on PyPI.
>
> I don't see any inconvenience since bytereef.org has a comparable
> uptime to python.org.

Not an argument. It is in the interest of all serious Python developers
that Python packages are maintained in a proper way on PyPI
(documentation, hosting, metadata etc.). Having a package on a private
server is often a single-point-of-failure and not acceptable for
professional deployments. My point about this: if a person does not want
to host its package on PyPi than it should stay away from PyPI. Package
hygiene and a certain level of professional package repository is more
important and personal reasons for not hosting packages on PyPI.

- -aj
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQGUBAEBAgAGBQJPMDVgAAoJEADcfz7u4AZjgLULv0CxGU34t6C3N/XYW9U4OS1r
tNWH5m5VEFJ8gqOkXrnzK2XldyNt4y1LeOAVoYtciuJt9PB02zBFobbGwS7OoKcZ
V7cu23LQeo3RQG2NeQ5UTDcEBKioHDWTKayPFRokVcbwo+DRbPQzph7Q+51bfugz
kcH248laGq9zx5W3tsuH0dDYPh/p5HQPwzGk3mM0dlqZi6Ztshe+DE1xLc+0Su3D
Psx/4Ax7CYCUJUKUUT3ondzDdThmjq8iT5gCWhGDEAm6qEpt+EgP1dqT6Lv0tzek
9e2FM4d2aHhdxYfe9RfWkmu61PT42cCfvNSmihVFsCBbqQMEBKejdIbDNwNjWl9k
D6Y4SOmJYpW0LL07IEHNmbj5ARaXUg+0fXoIgw4BDksu7WfDH7MZREEzm4Wqaaze
ILHaLSyNAd1nivHe4q6QXe9Y8ZhAehTTPjCzCvZmcgQuRbu1Apxw4RKWSYfMGIFZ
zjwEOrcd2rWPqu6CZ/zjAQoFefTACxs=
=3DWe
-----END PGP SIGNATURE-----

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig

lists.vcf (325 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Donald Stufft
In reply to this post by Stefan Krah-2
It's your prerogative to host it where you will, but just from my personal point of view:

On Monday, February 6, 2012 at 3:08 PM, Stefan Krah wrote:

Martijn Faassen <[hidden email]> wrote:
original poster's choice to host somewhere else, but it can indeed be
inconvenient to quite a few users of PyPI if a package is not hosted on
PyPI.

I don't see any inconvenience since bytereef.org has a comparable
uptime to python.org.
Even if your server has a _better_ uptime than PyPI, the combined downtime will be worse. (If PyPI is down the
user cannot install your package, or any package, if your server is down, but PyPI is up they cannot install your
package but can other packages.) 

I've listed my reasons for not hosting on PyPI earlier here:



Stefan Krah
To address what was said here:
 
1) This is a valid complaint and should be brought up as a reason to amend the ToS (not particularly sure what the ToS is for PyPI tbh)

2) This complaint isn't particularly valid in the sense of should I upload my files to PyPI. You are already uploading the metadata that
they are scraping, otherwise you would be unable to list on PyPI. Wether or not you have a file hosted there won't make one bit of 
difference to Google.

3) This is valid as well, I would argue that you should push for better package download stats for the authors of packages.

4) I think this is an invalid point as well, it's quite easy to add a Home Page metadata (as you already have done), and to
make your long_description state that the primary page for your package is at http://www.bytereef.org/mpdecimal/index.html
and to go there for that information.

5) I addressed this above but i'll reiterate this point, unless your server has (actual, not theoretical) 100% uptime as well as all
the networking routes between it and the end user, people installing your package have a greater chance of being unable to
install your package than if you just hosted on PyPi. You cannot remove their dependency on PyPI being up, but adding another
possible place for failure means that the combined uptime of your package being installable is lower.

Theoertical 99% uptime of PyPI and 99% uptime of your server would mean a combined 98% uptime. And that's without getting
into the additional points of failure between the person wanting to use your package and your server.


_______________________________________________
Catalog-SIG mailing list


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Martijn Faassen-2
In reply to this post by Stefan Krah-2
On 02/06/2012 09:08 PM, Stefan Krah wrote:
> Martijn Faassen<[hidden email]>  wrote:
>> original poster's choice to host somewhere else, but it can indeed be
>> inconvenient to quite a few users of PyPI if a package is not hosted on
>> PyPI.
>
> I don't see any inconvenience since bytereef.org has a comparable
> uptime to python.org.

I've experienced a site which was hosting a Python package which had
awesome uptime, but then something was screwed up about the security of
the host at some point and while it remained up, it took forever
(months? years?) to get resolved.

So anyway, it's great bytereef.org has great uptime, but it's also clear
relying on 10 sites, even if each have a great uptime and network
reachability is going to give me worse uptime than having to rely on
one, if that one has a reasonable uptime. Unless of course the content
is mirrored, in which case reliability goes up.

> I've listed my reasons for not hosting on PyPI earlier here:
>
> http://mail.python.org/pipermail/catalog-sig/2011-May/003746.html

Interesting, and thank you for the reference. Your reasons make sense of
course, though they don't tip the balance for me personally. I notice
all your reasons (besides the uptime one) are about control over your
package as the author. The arguments I've made from the perspective of
package users. I'm a package author too; plenty of my stuff on PyPI, but
I'm an even bigger user of other people's code.

Regards,

Martijn

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Stefan Krah-2
In reply to this post by Andreas Jung-5
Andreas Jung <[hidden email]> wrote:
> > I don't see any inconvenience since bytereef.org has a comparable
> > uptime to python.org.
>
> Not an argument. It is in the interest of all serious Python developers
> that Python packages are maintained in a proper way on PyPI
> (documentation, hosting, metadata etc.). Having a package on a private
> server is often a single-point-of-failure and not acceptable for
> professional deployments.

Martijn Faassen has predicted that this would come up, so here it goes:

If that's a point of failure then you are simply not doing a professional
deployment.

People who need guarantees like that should maintain their own package
repository or try Enthought, ActiveState, etc.



Stefan Krah


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Stefan Krah-2
In reply to this post by Martijn Faassen-2
Martijn Faassen <[hidden email]> wrote:
> On 02/06/2012 09:08 PM, Stefan Krah wrote:
>> I don't see any inconvenience since bytereef.org has a comparable
>> uptime to python.org.
>
> I've experienced a site which was hosting a Python package which had  
> awesome uptime, but then something was screwed up about the security of  
> the host at some point and while it remained up, it took forever  
> (months? years?) to get resolved.

And? I'm not exactly unreachable and I doubt there will be a security problem.
Furthermore I'm posting the sha256sums of the packages in the announcements,
so they are archived on several mailing lists.

For the general case I'd suggest that PyPI gives an author the option to
tie an sha256sum to a package version *once*. This leaves an opportunity
to correct a release (recent discussion), but as soon as the checksum is
published it cannot be altered.

If a package is removed entirely, any version numbers that have been used
would need to be stored intenally to prevent a re-upload with the same name
but a different checksum.


The download tools would need to get the capability to verify the checksum.


Stefan Krah


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Daniel Greenfeld
In reply to this post by Stefan Krah-2
On Mon, Feb 6, 2012 at 12:55 PM, Stefan Krah <[hidden email]> wrote:

> Andreas Jung <[hidden email]> wrote:
>> > I don't see any inconvenience since bytereef.org has a comparable
>> > uptime to python.org.
>>
>> Not an argument. It is in the interest of all serious Python developers
>> that Python packages are maintained in a proper way on PyPI
>> (documentation, hosting, metadata etc.). Having a package on a private
>> server is often a single-point-of-failure and not acceptable for
>> professional deployments.
>
> Martijn Faassen has predicted that this would come up, so here it goes:
>
> If that's a point of failure then you are simply not doing a professional
> deployment.
>
> People who need guarantees like that should maintain their own package
> repository or try Enthought, ActiveState, etc.

I've been told that 'professional deployments should not been done
from PyPI for years. That's always irked me quite a bit, and I think
that things should change. In fact, I contend that as PyPI is the
canonical place for package listings, then that sentence is incredible
dismaying/shocking for new users of Python. How do Fedora/Ubuntu/Perl
and other systems work? Are their systems also modeled the same way?

So why can't PyPI become the best place for package downloads? The
technical obstacles are being overcome with mirrors and improved
architecture. As that occurs, I think a requirement for PyPI listing
should be that a copy of the posted version is on the site.

--
'Knowledge is Power'
Daniel Greenfeld
http://pydanny.blogspot.com
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Terry Reedy
In reply to this post by Andreas Jung-5
On 2/6/2012 3:17 PM, Andreas Jung wrote:
> My point about this: if a person does not want
> to host its package on PyPi than it should stay away from PyPI.

The Python Package Index was originally just that: a package *INDEX*,
aiming to be a complete index. It did not originate the idea of such an
index, but has pretty much superseded previous 'unofficial' efforts.

Now you want to censor it to meet *your* needs, to only list packages
that *you* are interested in.

If I remember correctly, the Cheeseshop/PyPI was originally *just* an
index. The hosting-repository service was added later -- as a
convenience firstly to authors. I now believe that the repository should
have been and should be kept separate, as the Python Package Repository
-- PyPaR. Then repository issues would be clearly separate from index
issues.

--
Terry Jan Reedy

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: What is the point of pythonpackages.com?

Jacob Kaplan-Moss-2
In reply to this post by Daniel Greenfeld
Daniel Greenfeld wrote:
> I've been told that 'professional deployments should not been done
> from PyPI for years. That's always irked me quite a bit, and I think
> that things should change.

I completely agree.

I'm one of those people who's told you that you can't reply on PyPI for
repeatable, bullet-proof deployments. That's a statement of fact, but
it's not a situation I'm particularly happy with. It'd be a pretty great
thing for our community if we could improve PyPI to the point that it
has sufficient reliability.

It's not a particularly hard problem technically, but it is going to
require us to stop being content with the status quo and push PyPI forward.

Alex, Donald, et al. -- keep up the good work!

Jacob
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
123