Re: the new PyPI, coming next month

To: Scott Kitterman <debian@kitterman.com>, debian-python@lists.debian.org
Subject: Re: the new PyPI, coming next month
From: Sumana Harihareswara <sh@changeset.nyc>
Date: Sat, 31 Mar 2018 23:30:58 -0400
Message-id: <[🔎] 32b80520-7823-7e2c-d3d0-d0b4bb854ead@changeset.nyc>
In-reply-to: <[🔎] E695279A-7F89-4973-933B-CEAD4455DF3F@kitterman.com>
References: <[🔎] b06878cc-90f6-d033-4fdd-fa191db6c083@changeset.nyc> <[🔎] E695279A-7F89-4973-933B-CEAD4455DF3F@kitterman.com>

Scott,

Thanks for your reply. I wrote about this at a little more length in
https://mail.python.org/pipermail/python-list/2018-March/732329.html in
response to a related question. But for more discussion on this
particular point, the people you want to talk with are in the Python
distribution/packaging SIG list,
https://mail.python.org/mailman/listinfo/distutils-sig . Sorry to be
pushing you to yet another list, but the in-depth answers you want,
you're more likely to get there.

thanks,
Sumana Harihareswara
-- 
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc

On 03/31/2018 11:23 PM, Scott Kitterman wrote:
> What replaces gpg for ensuring integrity of the uploaded code?
> 
> Scott K
> 
> On April 1, 2018 2:15:54 AM UTC, Sumana Harihareswara <sh@changeset.nyc> wrote:
>> Debian-Python experts,
>>
>> I'm writing to you in hopes you will forward this to the right places,
>> and file relevant bugs against uscan/watch, which I don't quite
>> understand enough to do myself. And if you want to follow up on
>> https://github.com/pypa/warehouse/issues/358#issuecomment-337233792 and
>> file a new issue asking for us to support your redirector more cleanly,
>> I'd welcome that.
>>
>> I'm the project manager for the new Python Package Index (Warehouse),
>> which is currently in beta at http://pypi.org/ . On the Warehouse
>> roadmap[1], it looks like the full switch will happen sometime
>> in April, so here's a heads-up about why we're switching, what's
>> changed, and what to expect. (Much of it won't be directly important to
>> you, but I figure you might want to know anyway!)
>>
>> The legacy PyPI site at https://pypi.python.org started in the early
>> 2000s. In recent years, users faced outages, malicious packages, and
>> spam attacks, and the legacy codebase made it hard to maintain and even
>> harder to develop new features.
>>
>> The new PyPI has a far more modern look, and is up-to-date under the
>> hood as well; a proper web framework (Pyramid), 100% backend test
>> coverage, and a Docker-based development environment, make it easier
>> for
>> current and new developers to maintain it and add features.
>>
>> Thanks to Mozilla's Open Source Support funding[2], developers have
>> added many new features, overhauled infrastructure, and made steady
>> progress towards redirecting traffic to the new site and shutting down
>> the old one. As of the middle of last year, package releases must go
>> through the new PyPI, and as of late February, new user account
>> registration is only available on the new site. The full switch will
>> include redirecting browser and pip install traffic from the old site;
>> then, sometime in late April or early May, the legacy site will be
>> entirely shut down.
>>
>> Thanks to redirects, you may not have to change anything immediately.
>> Here's a migration guide.[3]
>>
>>
>> Some new PyPI features:
>> * mobile-responsive UI
>> * chronological release history for each project (example[4])
>> * easy-to-read project activity journal for project maintainers
>> * better search and filtering
>> * support for multiple project URLs (e.g., for a homepage and a
>>   repo[5])
>> * user-visible Gravatars and email addresses for maintainers
>> * no need to "register" a project before initial upload
>> * far better backend infrastructure, reducing the frequency of outages
>>
>>
>> Things that are going away, or already have (sometimes for policy or
>> spam-fighting reasons), include:
>> * pythonhosted.com documentation hosting (pypa/warehouse#582[6])
>> * download counts visible in the API[7] (instead, use the Google
>>   BigQuery service[8])
>> * GPG/PGP signatures for packages (still visible in the Simple Project
>>   API[9] per PEP 503[10], but no longer visible in the web UI
>> * key management: PyPI no longer has a UI for users to manage their GPG
>>   or SSH public keys
>> * package maintainers being able to upload a new release via the web UI
>>   (instead, the recommended command-line tool is Twine[11])
>> * package maintainers being able to log in and update release
>>  descriptions via the web UI (to update release metadata, they need to
>>   upload a new release; see distutils-sig discussion[12])
>> * OpenID and Google auth login[13]
>> * users being able to upload a package without verifying their email
>>   address with PyPI first
>> * HTTP access to APIs; now it's HTTPS-only[14]
>>
>>
>> And in the works:
>> * PEP 541[15] will enable more timely package takeovers, as people get
>>   package names transferred to them after conflict resolution
>> * Now that PEP 566 has been approved, developers are working to get
>>   Markdown supported for README files on PyPI[16]
>>
>>
>> For future updates, please sign up for the low-traffic PyPI
>> announcements email list[17].
>>
>> Thank you for integrating with PyPI, and please let us know[18] if you
>> have any questions or problems with the new site!
>> --
>> Sumana Harihareswara
>> Changeset Consulting
>> https://changeset.nyc
>>
>>
>> Links:
>>
>>   1. https://wiki.python.org/psf/WarehouseRoadmap
>>   2.
>> https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
>>   3.
>> https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi
>>   4. https://pypi.org/project/pip/#history
>>   5.
>> https://packaging.python.org/tutorials/distributing-packages/#project-urls
>>   6. https://github.com/pypa/warehouse/issues/582
>>   7.
>> https://warehouse.readthedocs.io/api-reference/xml-rpc/#changes-to-legacy-api
>> 8.
>> https://packaging.python.org/guides/analyzing-pypi-package-downloads/
>>   9.
>> https://warehouse.readthedocs.io/api-reference/legacy/#simple-project-api
>>  10. https://www.python.org/dev/peps/pep-0503/
>>  11. http://twine.readthedocs.io/
>>  12.
>> https://mail.python.org/pipermail/distutils-sig/2017-December/031826.html
>>  13.
>> https://mail.python.org/pipermail/distutils-sig/2018-January/031855.html
>>  14.
>> https://mail.python.org/pipermail/distutils-sig/2017-October/031712.html
>>  15. https://www.python.org/dev/peps/pep-0541/
>> 16. https://github.com/pypa/warehouse/issues/869#issuecomment-340928703
>> 17.
>> https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/
>>  18. https://github.com/pypa/warehouse/issues/new

Reply to:

References:
- the new PyPI, coming next month
  - From: Sumana Harihareswara <sh@changeset.nyc>
- Re: the new PyPI, coming next month
  - From: Scott Kitterman <debian@kitterman.com>

Prev by Date: Re: the new PyPI, coming next month
Next by Date: Re: the new PyPI, coming next month
Previous by thread: Re: the new PyPI, coming next month
Next by thread: Re: the new PyPI, coming next month
Index(es):
- Date
- Thread