Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.python > #16658

Stop recommending PyPi as upstream for Debian Python packages?

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Context: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091506#27

Helmut Grohne <helmut@subdivi.de> writes:

> Hi Simon,
>
> On Sat, Dec 28, 2024 at 10:33:28AM +0100, Simon Josefsson wrote:
>> Thank you - I agree and hope to convince upstream PQconnect to pick
>> build dependencies in a better way. This was a bit further down the
>> dependency stack, but hopefully they can help anyway. They brought
>> up a valid concern: prefer not to depend on things not on PyPI and I
>> agree (of course, within reason).  It seems unshare is there:
>> https://pypi.org/project/unshare/
>
> Everyone has their own kink. I ignore Python modules that are not in
> Debian and others ignore Python modules not on PyPI.
>
> My reasons for ignoring PyPI:
>  * It has a history of hosting malware.
>  * It has a history of hosting low-quality modules (such as the one you
>    are packaging).
>  * It tends to have multiple competing modules for a usecase. Each of
>    them has their own downsides and the good solution ends up not being
>    uploaded to PyPI.
>  * Modules come and go often only ever receiving a single upload and
>    your dependency ends up becoming technical debt.
>  * It has made uploading stuff harder and harder while simultaneously
>    degrading security by stopping support for pgp signatures.
>  * Accessing PyPI has become harder since it became "protected" by
>    fastly.
>  * Salvo Tomaselli gave a talk in Toulouse with more reasons.
>
> I no longer consider PyPI worth my time.

I am beginning the feel the same.

Is there anyone in the Debian Python team who feels PyPi is preferrable?

I don't recall seeing arguments in favor of PyPi, but maybe they exist.

Otherwise is there any objections to me updating

https://wiki.debian.org/Python/LibraryStyleGuide?action=show&redirect=Python%2FPackaging#debian.2Fwatch

which led me in the wrong way, and made me use PyPi as the upstream
source for packages I look at?

/Simon

Back to linux.debian.maint.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread

Thread

Bug#1091506: ITP: python-unshare -- extension for C unshare() call Simon Josefsson <simon@josefsson.org> - 2024-12-27 20:30 +0100
  Bug#1091506: ITP: python-unshare -- extension for C unshare() call Simon Josefsson <simon@josefsson.org> - 2024-12-28 11:10 +0100
    Re: Bug#1091506: ITP: python-unshare -- extension for C unshare() call Simon Josefsson <simon@josefsson.org> - 2024-12-28 11:30 +0100
      Re: Bug#1091506: ITP: python-unshare -- extension for C unshare()  call Andrey Rakhmatullin <wrar@debian.org> - 2024-12-28 11:40 +0100
      Re: Bug#1091506: ITP: python-unshare -- extension for C unshare()  call Andrey Rakhmatullin <wrar@debian.org> - 2024-12-28 11:40 +0100
        Re: Bug#1091506: ITP: python-unshare -- extension for C unshare() call Simon Josefsson <simon@josefsson.org> - 2024-12-28 11:50 +0100
          Re: Bug#1091506: ITP: python-unshare -- extension for C unshare()  call Andrey Rakhmatullin <wrar@debian.org> - 2024-12-28 12:00 +0100
  Stop recommending PyPi as upstream for Debian Python packages? Simon Josefsson <simon@josefsson.org> - 2025-01-02 10:00 +0100
    Re: Stop recommending PyPi as upstream for Debian Python packages? Andrey Rakhmatullin <wrar@debian.org> - 2025-01-02 10:20 +0100
    Re: Stop recommending PyPi as upstream for Debian Python packages? Dominik George <natureshadow@debian.org> - 2025-01-02 10:20 +0100
    Re: Stop recommending PyPi as upstream for Debian Python packages? Andrey Rakhmatullin <wrar@debian.org> - 2025-01-02 10:20 +0100

csiph-web