[Zope-dev] "ZTK" futures: one big package?
Jim Fulton
jim at zope.com
Wed May 13 14:16:23 EDT 2009
On May 13, 2009, at 1:15 PM, Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jim Fulton wrote:
>
>> - We now know not to remove releases.
>
> Not everybody does: I've seen folks *recently* re-upload a changed
> release without bumping the version number; and "we" is a much
> narrower
> set than the set of all PyPI maintainers.
Well, at some point you have to take into account the skills of the
maintainers when considering whether to use a package. I personally
haven't been burned by this, so I hardly think this is a cause for
"fear".
>> - If you are using something in production, you should archive the
>> necessary
>> source releases, using a tool like zc.sourcerelease.
>>
>> IOW, you shouldn't do production deployments using a dynamic
>> assembly mechanism.
>
> Which is exaclt what I said:
>
>
>>>> You should be *very* afraid of depending on PyPI for softare rolled
>>>> into production.
I don't consider the 2 statements to be the same. I had a feeling
that that was what you meant, at least on some level.
I use PyPI when creating source releases. I use source releases
(actually binary rpms built from source rpms built from source
releases) for deployment.
The impression I think you're giving is that people should avoid PyPI
and need to build their own indexes and I just don't agree with that.
Jim
--
Jim Fulton
Zope Corporation
More information about the Zope-Dev
mailing list