Path: csiph.com!weretis.net!feeder8.news.weretis.net!fu-berlin.de!bofh.it!news.nic.it!robomod From: Simon Josefsson Newsgroups: linux.debian.maint.python Subject: Stop recommending PyPi as upstream for Debian Python packages? Date: Thu, 02 Jan 2025 10:00:01 +0100 Message-ID: References: X-Original-To: Helmut Grohne X-Mailbox-Line: From debian-python-request@lists.debian.org Thu Jan 2 08:51:41 2025 Old-Return-Path: X-Amavis-Spam-Status: No, score=-14.5 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -4.6 X-Hashcash: 1:23:250102:debian-python@lists.debian.org::0IDGKvb/LwY5KKlr:dFfC Openpgp: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt X-Hashcash: 1:23:250102:1091506@bugs.debian.org::7AbEXz4meIuTbLUw:BtB/ X-Hashcash: 1:23:250102:helmut@subdivi.de::G/qFXzde1BTBxOVI:VI/J User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Mailing-List: archive/latest/22753 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/87jzbd8uou.fsf_-_@kaka.sjd.se Approved: robomod@news.nic.it Lines: 63 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-python@lists.debian.org X-Original-Date: Thu, 02 Jan 2025 09:51:45 +0100 X-Original-Message-ID: <87jzbd8uou.fsf_-_@kaka.sjd.se> X-Original-References: <20241228070547.GA1535990@subdivi.de> <8734i9q68j.fsf@kaka.sjd.se> <20241228101457.GA1541492@subdivi.de> Xref: csiph.com linux.debian.maint.python:16658 --=-=-= Content-Type: text/plain Context: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091506#27 Helmut Grohne writes: > Hi Simon, > > On Sat, Dec 28, 2024 at 10:33:28AM +0100, Simon Josefsson wrote: >> Thank you - I agree and hope to convince upstream PQconnect to pick >> build dependencies in a better way. This was a bit further down the >> dependency stack, but hopefully they can help anyway. They brought >> up a valid concern: prefer not to depend on things not on PyPI and I >> agree (of course, within reason). It seems unshare is there: >> https://pypi.org/project/unshare/ > > Everyone has their own kink. I ignore Python modules that are not in > Debian and others ignore Python modules not on PyPI. > > My reasons for ignoring PyPI: > * It has a history of hosting malware. > * It has a history of hosting low-quality modules (such as the one you > are packaging). > * It tends to have multiple competing modules for a usecase. Each of > them has their own downsides and the good solution ends up not being > uploaded to PyPI. > * Modules come and go often only ever receiving a single upload and > your dependency ends up becoming technical debt. > * It has made uploading stuff harder and harder while simultaneously > degrading security by stopping support for pgp signatures. > * Accessing PyPI has become harder since it became "protected" by > fastly. > * Salvo Tomaselli gave a talk in Toulouse with more reasons. > > I no longer consider PyPI worth my time. I am beginning the feel the same. Is there anyone in the Debian Python team who feels PyPi is preferrable? I don't recall seeing arguments in favor of PyPi, but maybe they exist. Otherwise is there any objections to me updating https://wiki.debian.org/Python/LibraryStyleGuide?action=show&redirect=Python%2FPackaging#debian.2Fwatch which led me in the wrong way, and made me use PyPi as the upstream source for packages I look at? /Simon --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIoEARYIADIWIQSjzJyHC50xCrrUzy9RcisI/kdFogUCZ3ZToRQcc2ltb25Aam9z ZWZzc29uLm9yZwAKCRBRcisI/kdFokLHAP9Y4bkkz6KvHRQ82SmWu0NG4mtqtcSD AusH+k8I5ZnXIAD+Ipjl8Tdp+eOaHRhaj7X/blTEpHW6TkuqeL2cl0jpUg0= =nXQB -----END PGP SIGNATURE----- --=-=-=--