[Zope-dev] "ZTK" futures: one big package?

Jim Fulton jim at zope.com
Wed May 13 14:16:23 EDT 2009


On May 13, 2009, at 1:15 PM, Tres Seaver wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jim Fulton wrote:
>
>> - We now know not to remove releases.
>
> Not everybody does:  I've seen folks *recently* re-upload a changed
> release without bumping the version number;  and "we" is a much  
> narrower
> set than the set of all PyPI maintainers.

Well, at some point you have to take into account the skills of the  
maintainers when considering whether to use a package.  I personally  
haven't been burned by this, so I hardly think this is a cause for  
"fear".


>> - If you are using something in production, you should archive the
>> necessary
>>   source releases, using a tool like zc.sourcerelease.
>>
>>   IOW, you shouldn't do production deployments using a dynamic
>>   assembly mechanism.
>
> Which is exaclt what I said:
>
>
>>>> You should be *very* afraid of depending on PyPI for softare rolled
>>>> into production.

I don't consider the 2 statements to be the same.  I had a feeling  
that that was what you meant, at least on some level.

I use PyPI when creating source releases.  I use source releases  
(actually binary rpms built from source rpms built from source  
releases) for deployment.

The impression I think you're giving is that people should avoid PyPI  
and need to build their own indexes and I just don't agree with that.

Jim

--
Jim Fulton
Zope Corporation




More information about the Zope-Dev mailing list