On May 13, 2009, at 1:15 PM, Tres Seaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jim Fulton wrote:
- We now know not to remove releases.
Not everybody does: I've seen folks *recently* re-upload a changed release without bumping the version number; and "we" is a much narrower set than the set of all PyPI maintainers.
Well, at some point you have to take into account the skills of the maintainers when considering whether to use a package. I personally haven't been burned by this, so I hardly think this is a cause for "fear".
- If you are using something in production, you should archive the necessary source releases, using a tool like zc.sourcerelease.
IOW, you shouldn't do production deployments using a dynamic assembly mechanism.
Which is exaclt what I said:
You should be *very* afraid of depending on PyPI for softare rolled into production.
I don't consider the 2 statements to be the same. I had a feeling that that was what you meant, at least on some level. I use PyPI when creating source releases. I use source releases (actually binary rpms built from source rpms built from source releases) for deployment. The impression I think you're giving is that people should avoid PyPI and need to build their own indexes and I just don't agree with that. Jim -- Jim Fulton Zope Corporation