Re: [RFC] DPT Policy: Canonise recommendation against PyPi-provided upstream source tarballs

To: Brian Thompson <brian@hashvault.io>
Cc: debian-python@lists.debian.org
Subject: Re: [RFC] DPT Policy: Canonise recommendation against PyPi-provided upstream source tarballs
From: Donald Stufft <donald@stufft.io>
Date: Sat, 26 Jun 2021 00:20:54 -0400
Message-id: <[🔎] B9A5AE17-037A-4273-B45D-6A35E889271E@stufft.io>
In-reply-to: <YNajVpDpVEUI/Us+@brians-debian>
References: <YNajVpDpVEUI/Us+@brians-debian>

File names on PyPI are write once. Once a specific file name has been used it can never be used again (even if the entire project was deleted and recreated). 

Projects can delete uploaded files (and as mentioned they can be yanked, but yanking is just extra metadata beside the file), but file content can never change, only be removed. 

Sent from my iPhone

> On Jun 25, 2021, at 11:47 PM, Brian Thompson <brian@hashvault.io> wrote:
> 
> On Fri, Jun 25, 2021 at 07:01:39PM -0400, Nicholas D Steeves wrote:
>> Does PyPi provide immutable releases?
> 
> From experience, I can tell you that yes, releases cannot be overwritten,
> but they can be "yanked".  Pypi states that a yanked release is:
> 
>  "A release that is always ignored by an installer, unless it is the
>  only release that matches a version specifier (using either '==' or
>  '===)."
> 
> -- 
> Best regards,
> 
> Brian T

Reply to:

References:
- Re: [RFC] DPT Policy: Canonise recommendation against PyPi-provided upstream source tarballs
  - From: Brian Thompson <brian@hashvault.io>

Prev by Date: Re: [RFC] DPT Policy: Canonise recommendation against PyPi-provided upstream source tarballs
Next by Date: Re: [RFC] DPT Policy: Canonise recommendation against PyPi-provided upstream source tarballs
Previous by thread: Re: [RFC] DPT Policy: Canonise recommendation against PyPi-provided upstream source tarballs
Next by thread: Re: [RFC] DPT Policy: Canonise recommendation against PyPi-provided upstream source tarballs
Index(es):
- Date
- Thread