CINXE.COM

PEP 592: Support for "Yanked" Files in the Simple Repository API - Packaging - Discussions on Python.org

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>PEP 592: Support for &quot;Yanked&quot; Files in the Simple Repository API - Packaging - Discussions on Python.org</title> <meta name="description" content="I’ve just submitted PEP 592 which will implement the ability to mark a file as “yanked” in the simple repository API. Because this is adding a new attribute, it will not affect how any current versions of pip interpret t&amp;hellip;"> <meta name="generator" content="Discourse 3.5.0.beta2-dev - https://github.com/discourse/discourse version 0ebd0a0bd5e44d3604e89ec47168f1065c6139cb"> <link rel="icon" type="image/png" href="https://us1.discourse-cdn.com/flex002/uploads/python1/optimized/1X/9997f0605d56c4bfecd63594f52f42cdafd6b06a_2_32x32.png"> <link rel="apple-touch-icon" type="image/png" href="https://us1.discourse-cdn.com/flex002/uploads/python1/optimized/1X/4c06143de7870c35963b818b15b395092a434991_2_180x180.png"> <meta name="theme-color" media="(prefers-color-scheme: light)" content="#fff"> <meta name="theme-color" media="(prefers-color-scheme: dark)" content="#111111"> <meta name="color-scheme" content="light dark"> <meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, viewport-fit=cover"> <link rel="canonical" href="https://discuss.python.org/t/pep-592-support-for-yanked-files-in-the-simple-repository-api/1629" /> <link rel="search" type="application/opensearchdescription+xml" href="https://discuss.python.org/opensearch.xml" title="Discussions on Python.org Search"> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/color_definitions_base__2_c004f9553969f4973b71c1bfed3c4b8f0bd200ce.css?__ws=discuss.python.org" media="(prefers-color-scheme: light)" rel="stylesheet" class="light-scheme"/><link href="https://sea2.discourse-cdn.com/flex002/stylesheets/color_definitions_dark_1_2_1b1089952192d39476c35bdb626ccc59b0a0230a.css?__ws=discuss.python.org" media="(prefers-color-scheme: dark)" rel="stylesheet" class="dark-scheme"/> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/desktop_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="desktop" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/automation_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="automation" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/checklist_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="checklist" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-ai_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-ai" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-akismet_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-akismet" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-chat-integration_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-chat-integration" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-data-explorer_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-data-explorer" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-details_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-details" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-lazy-videos_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-lazy-videos" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-local-dates_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-local-dates" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-math_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-math" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-narrative-bot_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-narrative-bot" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-policy_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-policy" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-presence_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-presence" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-solved_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-solved" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-templates_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-templates" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-topic-voting_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-topic-voting" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-user-notes_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-user-notes" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/footnote_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="footnote" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/hosted-site_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="hosted-site" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/poll_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="poll" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/spoiler-alert_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="spoiler-alert" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-ai_desktop_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-ai_desktop" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/discourse-topic-voting_desktop_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="discourse-topic-voting_desktop" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/poll_desktop_5280f46422a5df0303bf1d1607d6e602c8deb411.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="poll_desktop" /> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/desktop_theme_4_917a6110e3c364378c47d29558a9857cf034f6a1.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="desktop_theme" data-theme-id="4" data-theme-name="unformatted code detector"/> <link href="https://sea2.discourse-cdn.com/flex002/stylesheets/desktop_theme_2_dadcc60843d511f9c6053f4053574b4d66d34d89.css?__ws=discuss.python.org" media="all" rel="stylesheet" data-target="desktop_theme" data-theme-id="2" data-theme-name="light"/> <link rel="alternate nofollow" type="application/rss+xml" title="RSS feed of &#39;PEP 592: Support for &quot;Yanked&quot; Files in the Simple Repository API&#39;" href="https://discuss.python.org/t/pep-592-support-for-yanked-files-in-the-simple-repository-api/1629.rss" /> <meta property="og:site_name" content="Discussions on Python.org" /> <meta property="og:type" content="website" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:image" content="https://us1.discourse-cdn.com/flex002/uploads/python1/original/1X/f93ff97c4f381b5e8add5a0c163b4ded29f20ed7.png" /> <meta property="og:image" content="https://us1.discourse-cdn.com/flex002/uploads/python1/original/1X/f93ff97c4f381b5e8add5a0c163b4ded29f20ed7.png" /> <meta property="og:url" content="https://discuss.python.org/t/pep-592-support-for-yanked-files-in-the-simple-repository-api/1629" /> <meta name="twitter:url" content="https://discuss.python.org/t/pep-592-support-for-yanked-files-in-the-simple-repository-api/1629" /> <meta property="og:title" content="PEP 592: Support for &quot;Yanked&quot; Files in the Simple Repository API" /> <meta name="twitter:title" content="PEP 592: Support for &quot;Yanked&quot; Files in the Simple Repository API" /> <meta property="og:description" content="I’ve just submitted PEP 592 which will implement the ability to mark a file as “yanked” in the simple repository API. Because this is adding a new attribute, it will not affect how any current versions of pip interpret the simple repository API, however it will allow us to solve the problem of trying to mark files as “don’t actually use this” going forward. I’ve included the PEP body below, and it can be viewed online once the PEP pages sync the latest version. I’ve also had this PEP move the ..." /> <meta name="twitter:description" content="I’ve just submitted PEP 592 which will implement the ability to mark a file as “yanked” in the simple repository API. Because this is adding a new attribute, it will not affect how any current versions of pip interpret the simple repository API, however it will allow us to solve the problem of trying to mark files as “don’t actually use this” going forward. I’ve included the PEP body below, and it can be viewed online once the PEP pages sync the latest version. I’ve also had this PEP move the ..." /> <meta property="og:article:section" content="Packaging" /> <meta property="og:article:section:color" content="ED207B" /> <meta name="twitter:label1" value="Reading time" /> <meta name="twitter:data1" value="11 mins 🕑" /> <meta name="twitter:label2" value="Likes" /> <meta name="twitter:data2" value="26 ❤" /> <meta property="article:published_time" content="2019-05-08T00:59:35+00:00" /> <meta property="og:ignore_canonical" content="true" /> <link rel="next" href="/t/pep-592-support-for-yanked-files-in-the-simple-repository-api/1629?page=2"> </head> <body class="crawler browser-update"> <header> <a href="/"> Discussions on Python.org </a> </header> <div id="main-outlet" class="wrap" role="main"> <div id="topic-title"> <h1> <a href="/t/pep-592-support-for-yanked-files-in-the-simple-repository-api/1629">PEP 592: Support for &quot;Yanked&quot; Files in the Simple Repository API</a> </h1> <div class="topic-category" itemscope itemtype="http://schema.org/BreadcrumbList"> <span itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"> <a href="/c/packaging/14" class="badge-wrapper bullet" itemprop="item"> <span class='badge-category-bg' style='background-color: #ED207B'></span> <span class='badge-category clear-badge'> <span class='category-name' itemprop='name'>Packaging</span> </span> </a> <meta itemprop="position" content="1" /> </span> </div> </div> <div itemscope itemtype='http://schema.org/DiscussionForumPosting'> <meta itemprop='headline' content='PEP 592: Support for &quot;Yanked&quot; Files in the Simple Repository API'> <link itemprop='url' href='https://discuss.python.org/t/pep-592-support-for-yanked-files-in-the-simple-repository-api/1629'> <meta itemprop='datePublished' content='2019-05-08T00:59:35Z'> <meta itemprop='articleSection' content='Packaging'> <meta itemprop='keywords' content=''> <div itemprop='publisher' itemscope itemtype="http://schema.org/Organization"> <meta itemprop='name' content='Python Software Foundation'> <div itemprop='logo' itemscope itemtype="http://schema.org/ImageObject"> <meta itemprop='url' content='https://us1.discourse-cdn.com/flex002/uploads/python1/original/1X/c7591c98caf3b31d4d9c6f322f41ed9d80a50800.png'> </div> </div> <div id='post_1' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/dstufft'><span itemprop='name'>dstufft</span></a> (Donald Stufft) </span> <link itemprop="mainEntityOfPage" href="https://discuss.python.org/t/pep-592-support-for-yanked-files-in-the-simple-repository-api/1629"> <span class="crawler-post-infos"> <time datetime='2019-05-08T00:59:35Z' class='post-time'> May 8, 2019, 12:59am </time> <meta itemprop='dateModified' content='2019-05-10T15:38:25Z'> <span itemprop='position'>1</span> </span> </div> <div class='post' itemprop='text'> <p>I’ve just submitted PEP 592 which will implement the ability to mark a file as “yanked” in the simple repository API. Because this is adding a new attribute, it will not affect how any current versions of pip interpret the simple repository API, however it will allow us to solve the problem of trying to mark files as “don’t actually use this” going forward.</p> <p>I’ve included the PEP body below, and it can be viewed <a href="https://www.python.org/dev/peps/pep-0592/">online</a> once the PEP pages sync the latest version.</p> <p>I’ve also had this PEP move the canonical location of the simple repository API specification to the packaging guide.</p> <blockquote> <h2>Abstract</h2> <p>This PEP proposes adding the ability to mark a particular file download on a simple repository as “yanked”. Yanking a file allows authors to effectively delete a file, without breaking things for people who have pinned to exactly a specific version.</p> <p>It also changes to the canonical source for the simple repository API to the <a href="https://packaging.python.org/specifications/simple-repository-api/">Simple Repository API</a> reference document.</p> <h2>Motivation</h2> <p>Whenever a project detects that a particular release on PyPI might be broken, they often times will want to prevent further users from inadvertantly using that version. However, the obvious solution of deleting the existing file from a repository will break users who have followed best practices and pinned to a specific version of the project.</p> <p>This leaves projects in a catch-22 situation where new projects may be pulling down this known broken version, but if they do anything to prevent that they’ll break projects that are already using it.</p> <p>By allowing the ability to “yank” a file, but still make it available for users who are explicitly asking for it, this allows projects to mitigate the worst of the breakage while still keeping things working for projects who have otherwise worked around or didn’t hit the underlying issues.</p> <p>One of the main scenarios where this may happen, is when dropping support for a particular version of Python. The <code>python-requires</code> metadata allows for dropping support for a version of Python in a way that is not disruptive to users who are still using that Python. However, a common mistake is to either omit or forget to update that bit of metadata. When that mistake has been made, a project really only has three options:</p> <ul> <li>Prevent that version from being installed through some mechanism (currently, the only mechanism is by deleting the release entirely).</li> <li>Re-release the version that worked as a higher version number, and then re-release the version that dropped support as an even higher version number with the correct metadata.</li> <li>Do nothing, and document that people using that older Python have to manually exclude that release.</li> </ul> <p>With this PEP, projects can choose the first option, but with a mechanism that is less likely to break the world for people who are <em>currently</em> successfully using said project.</p> <h2>Specification</h2> <p>Links in the simple repository <strong>MAY</strong> have a <code>data-yanked</code> attribute which may have no value, or may have an arbitrary string as a value. The presence of a <code>data-yanked</code> attribute <strong>SHOULD</strong> be interpreted as indicating that the file pointed to by this particular link has been “Yanked”, and should not generally be selected by an installer, except under specific scenarios.</p> <p>The value of the <code>data-yanked</code> attribute, if present, is an arbitrary string that represents the reason for why the file has been yanked. Tools that process the simple repository API <strong>MAY</strong> surface this string to end users.</p> <p>The yanked attribute is not immutable once set, and may be rescinded in the future (and once rescinded, may be reset as well). Thus API users <strong>MUST</strong> be able to cope with a yanked file being “unyanked” (and even yanked again).</p> <h3>Installers</h3> <p>The desireable experience for users is that once a file is yanked, when a human being is currently trying to directly install a yanked file, that it fails as if that file had been deleted. However, when a human did that awhile ago, and now a computer is just continuing to mechanically follow the original order to install the now yanked file, then it acts as if it had not been yaned.</p> <p>An installer <strong>MUST</strong> ignore yanked releases, if the selection constraints can be satisified with a non-yanked version, and <strong>MAY</strong> refuse to use a yanked release even if it means that the request cannot be satisfied at all. An implementation <strong>SHOULD</strong> choose a policy that follows the spirit of the intention above, and that prevents “new” dependencies on yanked releases/files.</p> <p>What this means is left up to the specific installer, to decide how to best fit into the overall usage of their installer. However, there are two suggested approaches to take:</p> <ol> <li>Yanked files are always ignored, unless they are the only file that matches a version specifier that “pins” to an exact version using either <code>==</code> (without any modifiers that make it a range, such as <code>.*</code> ) or <code>===</code> . Matching this version specifier should otherwise be done as per PEP 440 for things like local versions, zero padding, etc.</li> <li>Yanked files are always ignored, unless they are the only file that matches what a lock file (such as <code>Pipfile.lock</code> or <code>poetry.lock</code> ) specifies to be installed. In this case, a yanked file <strong>SHOULD</strong> not be used when creating or updating a lock file from some input file or command.</li> </ol> <p>Regardless of the specific strategy that an installer chooses for deciding when to install yanked files, an installer <strong>SHOULD</strong> emit a warning when it does decide to install a yanked file. That warning <strong>MAY</strong> utilize the value of the <code>data-yanked</code> attribute (if it has a value) to provide more specific feedback to the user about why that file had been yanked.</p> <h3>Mirrors</h3> <p>Mirrors can generally treat yanked files one of two ways:</p> <ol> <li>They may choose to omit them from their simple repository API completely, providing a view over the repository that shows only “active”, unyanked files.</li> <li>They may choose to include yanked files, and additionally mirror the <code>data-yanked</code> attribute as well.</li> </ol> <p>Mirrors <strong>MUST NOT</strong> mirror a yanked file without also mirroring the <code>data-yanked</code> attribute for it.</p> <h2>Rejected Ideas</h2> <p>A previous, undocumented, version of the simple repository API had version specific pages, like <code>/simple/&lt;project&gt;/&lt;version&gt;/</code> . If we were to add those back, the yanked files could only appear on those pages and not on the version-less page at all. However this would drastically reduce the cache-ability of the simple API and would directly impact our ability to scale it out to handle all of the incoming traffic.</p> <p>A previous iteration of this PEP had the <code>data-yanked</code> attribute act as a boolean value. However it was decided that allowing a string both simplified the implementation, and provided additional generalized functionality to allow projects to provide a mechanism to indicate <em>why</em> they were yanking a release.</p> <p>Another suggestion was to reserve some syntax in the arbitrary string to allow us to evolve the standard in the future if we ever need to. However, given we can add additional attributes in the future, this idea has been rejected, favoring instead to use additional attributes if the need ever arose.</p> <h2>Warehouse/PyPI Implementation Notes</h2> <p>While this PEP implements yanking at the file level, that is largely due to the shape the simple repository API takes, not a specific decision made by this PEP.</p> <p>In Warehouse, the user experience will be implemented in terms of yanking or unyanking an entire release, rather than as an operation on individual files, which will then be exposed via the API as individual files being yanked.</p> <p>Other repository implementations may choose to to expose this capability in a different way, or not expose it at all.</p> <h3>Journal Handling</h3> <p>Whenever a release has been yanked, an entry will be recorded in the journal using one of the following string patterns:</p> <ul> <li><code>yank release</code></li> <li><code>unyank release</code></li> </ul> <p>In both cases, the standard journal structure will indicate which release of which project has been yanked or unyanked.</p> <h2>Copyright</h2> <p>This document has been placed in the public domain.</p> </blockquote> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="1" /> <span class='post-likes'>1 Like</span> </div> </div> <div id='post_2' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/pf_moore'><span itemprop='name'>pf_moore</span></a> (Paul Moore) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-08T09:13:46Z' class='post-time'> May 8, 2019, 9:13am </time> <meta itemprop='dateModified' content='2019-05-08T09:13:46Z'> <span itemprop='position'>2</span> </span> </div> <div class='post' itemprop='text'> <aside class="quote group-committers quote-modified" data-username="dstufft" data-post="1" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/dstufft/48/23_2.png" class="avatar"> dstufft:</div> <blockquote> <p>For the purposes of this PEP, having no value is interpretted as a <code>true</code> value.</p> </blockquote> </aside> <p>Maybe clarify that having no <code>data-yanked</code> attribute is interpreted as <code>false</code> (it’s just having the attribute but with no value that’s interpreted as <code>true</code>).</p> <p>Also spelling: “interpreted” (one “t”)</p> <aside class="quote group-committers quote-modified" data-username="dstufft" data-post="1" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/dstufft/48/23_2.png" class="avatar"> dstufft:</div> <blockquote> <p>using an exact <code>==</code> match</p> </blockquote> </aside> <p>Presumably (a) only if the requested version doesn’t include a trailing <code>.*</code> (which you show in the examples) and (b) also <code>===</code>? Also, <code>==1.1.0</code> matches <code>1.1</code> (by the rule about zero padding) and I assume yanked versions would be accepted in that case too.</p> <p>I suspect the rules are subtle enough that we’d want the <code>packaging</code> library to provide a reference implementation, rather than having installers just interpret things for themselves. But equally that means that it would be nice to be clearer here, so that we didn’t risk ending up with edge cases being implementation-defined in the packaging library.</p> <aside class="quote group-committers quote-modified" data-username="dstufft" data-post="1" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/dstufft/48/23_2.png" class="avatar"> dstufft:</div> <blockquote> <p>In addition, and installer</p> </blockquote> </aside> <p>“an installer”</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_3' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/dstufft'><span itemprop='name'>dstufft</span></a> (Donald Stufft) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-08T15:03:11Z' class='post-time'> May 8, 2019, 3:03pm </time> <meta itemprop='dateModified' content='2019-05-08T15:03:11Z'> <span itemprop='position'>3</span> </span> </div> <div class='post' itemprop='text'> <p>Updated the PEP, you can see the full diff at <a href="https://github.com/python/peps/pull/1034" rel="nofollow noopener">https://github.com/python/peps/pull/1034</a> but the major changes are:</p> <ul> <li>Switch the Delegate to <a class="mention" href="/u/pf_moore">@pf_moore</a> </li> <li>Change the <code>data-yanked</code> attribute from a boolean to a string to allow embedding a reason for why it was yanked.</li> </ul> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_4' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/pf_moore'><span itemprop='name'>pf_moore</span></a> (Paul Moore) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-08T15:14:06Z' class='post-time'> May 8, 2019, 3:14pm </time> <meta itemprop='dateModified' content='2019-05-08T15:14:06Z'> <span itemprop='position'>4</span> </span> </div> <div class='post' itemprop='text'> <p>Looks OK to me. I’ll wait a while for any other interested parties to add their comments, though.</p> <p>Once accepted, I assume the following actions are needed:</p> <ul> <li>Implement the flag in Warehouse and add some form of UI for it to PyPI.</li> <li>Support the flag in pip (my preference would be for this to be done in packaging, and for pip to just use that implementation, but I don’t know how plausible that will be in practice).</li> </ul> <p>Anything else? Will tools like pipenv need special action, or do they just pick this up via pip?</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_5' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/dstufft'><span itemprop='name'>dstufft</span></a> (Donald Stufft) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-08T15:17:08Z' class='post-time'> May 8, 2019, 3:17pm </time> <meta itemprop='dateModified' content='2019-05-08T15:17:08Z'> <span itemprop='position'>5</span> </span> </div> <div class='post' itemprop='text'> <p>Those steps are roughly correct yea.</p> <p>I don’t know exactly how pipenv uses pip internally so it may or may not need to change, hopefully changing things in pip is enough.</p> <p>This change would ideally live in packaging, but the repository API access all lives in pip itself still so it’ll require changes there at a minimum. What can live in packaging as it exists right now is logic to determine which specifiers are for an “exact” version or not, so we can toggle on/off yanked files in pip’s finder based on that.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_6' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/pganssle'><span itemprop='name'>pganssle</span></a> (Paul Ganssle) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-08T17:57:27Z' class='post-time'> May 8, 2019, 5:57pm </time> <meta itemprop='dateModified' content='2019-05-08T17:57:27Z'> <span itemprop='position'>6</span> </span> </div> <div class='post' itemprop='text'> <p><a class="mention" href="/u/dstufft">@dstufft</a> First off, thank you for this PEP, it is going to make the transition from Python 2 to Python 3 much easier, in my opinion.</p> <p>Two things:</p> <ol> <li> <p>Would it make sense to have some “reserved” syntax for this, in case we need to make future modifications? Something like “Ending the text in <code>data-yanked</code> with text in square brackets is disallowed, as that syntax is reserved for future modifications.” Then if we have some unforeseen need to communicate additional information, we can do so in a backwards-compatible way.</p> </li> <li> <p>I think it <em>may</em> be worth documenting in the motivation section that this is <em>particularly</em> needed when the way that the package is broken is in metadata telling installers that a package is <em>not</em> suitable for a specific platform (e.g. <code>python_requires</code>), because making new releases to correct the metadata will be ignored by installers on the unsupported platform!</p> </li> </ol> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_7' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/njs'><span itemprop='name'>njs</span></a> (Nathaniel J. Smith) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-08T18:49:02Z' class='post-time'> May 8, 2019, 6:49pm </time> <meta itemprop='dateModified' content='2019-05-08T18:49:02Z'> <span itemprop='position'>7</span> </span> </div> <div class='post' itemprop='text'> <aside class="quote group-committers" data-username="pganssle" data-post="6" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/pganssle/48/245_2.png" class="avatar"> pganssle:</div> <blockquote> <p>I think it <em>may</em> be worth documenting in the motivation section that this is <em>particularly</em> needed when the way that the package is broken is in metadata telling installers that a package is <em>not</em> suitable for a specific platform (e.g. <code>python_requires</code></p> </blockquote> </aside> <p>Strong agree.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="1" /> <span class='post-likes'>1 Like</span> </div> </div> <div id='post_8' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/dstufft'><span itemprop='name'>dstufft</span></a> (Donald Stufft) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-08T22:12:22Z' class='post-time'> May 8, 2019, 10:12pm </time> <meta itemprop='dateModified' content='2019-05-08T22:12:22Z'> <span itemprop='position'>8</span> </span> </div> <div class='post' itemprop='text'> <aside class="quote group-committers" data-username="pganssle" data-post="6" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/pganssle/48/245_2.png" class="avatar"> pganssle:</div> <blockquote> <p>Would it make sense to have some “reserved” syntax for this, in case we need to make future modifications? Something like “Ending the text in <code>data-yanked</code> with text in square brackets is disallowed, as that syntax is reserved for future modifications.” Then if we have some unforeseen need to communicate additional information, we can do so in a backwards-compatible way.</p> </blockquote> </aside> <p>I don’t think so, we don’t need to smuggle extra data in that string, if we ever need to communicate more information we can just add another attribute.</p> <aside class="quote group-committers" data-username="pganssle" data-post="6" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/pganssle/48/245_2.png" class="avatar"> pganssle:</div> <blockquote> <p>I think it <em>may</em> be worth documenting in the motivation section that this is <em>particularly</em> needed when the way that the package is broken is in metadata telling installers that a package is <em>not</em> suitable for a specific platform (e.g. <code>python_requires</code> ), because making new releases to correct the metadata will be ignored by installers on the unsupported platform!</p> </blockquote> </aside> <p>I can do that sure.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_9' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/uranusjr'><span itemprop='name'>uranusjr</span></a> (Tzu-ping Chung) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-08T22:27:34Z' class='post-time'> May 8, 2019, 10:27pm </time> <meta itemprop='dateModified' content='2019-05-08T22:27:34Z'> <span itemprop='position'>9</span> </span> </div> <div class='post' itemprop='text'> <aside class="quote group-committers" data-username="pf_moore" data-post="4" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/pf_moore/48/35_2.png" class="avatar"> pf_moore:</div> <blockquote> <p>Will tools like pipenv need special action, or do they just pick this up via pip?</p> </blockquote> </aside> <p>Pipenv currently simply delegates package discovery to pip, so I think it should be fine. It will likely affect some other tools that implement their own Simeple and JSON API client though (including distlib), so this will need to be done with as much visibility to the community so people can fix stuff before end users notice breakages.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_10' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/dstufft'><span itemprop='name'>dstufft</span></a> (Donald Stufft) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-09T03:24:15Z' class='post-time'> May 9, 2019, 3:24am </time> <meta itemprop='dateModified' content='2019-05-09T03:24:15Z'> <span itemprop='position'>10</span> </span> </div> <div class='post' itemprop='text'> <p>And just to be clear, the possible user breakage here is similar to the <code>python_requires</code> rollout where the absolute worst case scenario is that someone will install a yanked file when they otherwise shouldn’t have. That’s less ideal than not doing that, but it doesn’t introduce a <em>new</em> type of breakage, the unhappy path is basically just acting like this PEP doesn’t exist.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="1" /> <span class='post-likes'>1 Like</span> </div> </div> <div id='post_11' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/cjerdonek'><span itemprop='name'>cjerdonek</span></a> (Chris Jerdonek) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-09T05:51:27Z' class='post-time'> May 9, 2019, 5:51am </time> <meta itemprop='dateModified' content='2019-05-09T05:51:27Z'> <span itemprop='position'>11</span> </span> </div> <div class='post' itemprop='text'> <p>Clarifying question: does “yanked” mean to imply it’s permanently yanked, or can a file be “unyanked”?</p> <p>Also, there’s a typo here (should be “may have no value” I think):</p> <aside class="quote group-committers quote-modified" data-username="dstufft" data-post="1" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/dstufft/48/23_2.png" class="avatar"> dstufft:</div> <blockquote> <p>Links in the simple repository <strong>MAY</strong> have a <code>data-yanked</code> attribute which may have a no value,</p> </blockquote> </aside> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="1" /> <span class='post-likes'>1 Like</span> </div> </div> <div id='post_12' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/dstufft'><span itemprop='name'>dstufft</span></a> (Donald Stufft) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-09T12:28:51Z' class='post-time'> May 9, 2019, 12:28pm </time> <meta itemprop='dateModified' content='2019-05-09T12:28:51Z'> <span itemprop='position'>12</span> </span> </div> <div class='post' itemprop='text'> <p>One thing that I’m considering is changing the wording around <em>when</em> an installer should use a yanked version or not. I’m worried that I’m being a bit too pip specific in my wording. I’m looking at the prior art here and Cargo for instance will <em>only</em> install a yanked crate if it’s pinned inside of a <code>Cargo.lock</code> file.</p> <p>Obviously pip doesn’t have a <code>Cargo.lock</code> file analogous but maybe we should make the wording in the PEP a tad bit more ambiguous and tell installers that the intent is that no <em>new</em> dependencies can be created against the yanked version, but that existing dependencies continue to work. This would suggest that something like pipenv or poetry would be best suited to only installing it from a lockfile and pip would… I’m not 100% sure, either install it for <code>==</code> and <code>===</code> or perhaps even go one step further and only install it for <code>==</code> or <code>===</code> when coming from a <code>requirements.txt</code>?</p> <p>I’m kind of torn on this though, because as it stands the PEP is more consistent, but it means that something like <code>pip install yanked-thing==1.0</code> still works, and I’m not sure that we want it to. What do other people think?</p> <aside class="quote group-committers" data-username="cjerdonek" data-post="11" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/cjerdonek/48/63_2.png" class="avatar"> cjerdonek:</div> <blockquote> <p>Clarifying question: does “yanked” mean to imply it’s permanently yanked, or can a file be “unyanked”?</p> </blockquote> </aside> <p>I would lean towards allowing it to be unyanked, and I’ll update the PEP to say that. I think this is a case where we can give the project more control to do what makes sense for their project rather than constraining them.</p> <aside class="quote group-committers" data-username="cjerdonek" data-post="11" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/cjerdonek/48/63_2.png" class="avatar"> cjerdonek:</div> <blockquote> <p>Also, there’s a typo here (should be “may have no value” I think):</p> </blockquote> </aside> <p>Yea, I’ll get that fixed in the next update.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="2" /> <span class='post-likes'>2 Likes</span> </div> </div> <div id='post_13' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/uranusjr'><span itemprop='name'>uranusjr</span></a> (Tzu-ping Chung) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-09T14:37:39Z' class='post-time'> May 9, 2019, 2:37pm </time> <meta itemprop='dateModified' content='2019-05-09T14:37:39Z'> <span itemprop='position'>13</span> </span> </div> <div class='post' itemprop='text'> <aside class="quote group-committers" data-username="dstufft" data-post="12" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/dstufft/48/23_2.png" class="avatar"> dstufft:</div> <blockquote> <p>it means that something like <code>pip install yanked-thing==1.0</code> still works, and I’m not sure that we want it to.</p> </blockquote> </aside> <p>I might have missed some content, since I am not sure why this would be problematic.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_14' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/xafer'><span itemprop='name'>xafer</span></a> (Xavier Fernandez) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-09T19:22:09Z' class='post-time'> May 9, 2019, 7:22pm </time> <meta itemprop='dateModified' content='2019-05-09T19:22:09Z'> <span itemprop='position'>14</span> </span> </div> <div class='post' itemprop='text'> <p>I’d say <code>pip install yanked-thing==1.0</code> should behave the same way as <code>pip install -r requirement.txt</code> if <code>requirement.txt</code> contains <code>yanked-thing==1.0</code>.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_15' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/cjerdonek'><span itemprop='name'>cjerdonek</span></a> (Chris Jerdonek) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-09T20:10:52Z' class='post-time'> May 9, 2019, 8:10pm </time> <meta itemprop='dateModified' content='2019-05-10T05:42:13Z'> <span itemprop='position'>15</span> </span> </div> <div class='post' itemprop='text'> <aside class="quote no-group" data-username="xafer" data-post="14" data-topic="1629" data-full="true"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/xafer/48/248_2.png" class="avatar"> xafer:</div> <blockquote> <p>I’d say <code>pip install yanked-thing==1.0</code> should behave the same way as <code>pip install -r requirement.txt</code> if <code>requirement.txt</code> contains <code>yanked-thing==1.0</code> .</p> </blockquote> </aside> <p>Agreed. My instinct is that the rule shouldn’t depend on how it’s invoked (at least for pip). Otherwise, I can see this creating confusion when people are trying to diagnose issues because the behavior will subtly vary. But I haven’t thought deeply about it.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_16' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/njs'><span itemprop='name'>njs</span></a> (Nathaniel J. Smith) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-09T20:43:58Z' class='post-time'> May 9, 2019, 8:43pm </time> <meta itemprop='dateModified' content='2019-05-09T20:43:58Z'> <span itemprop='position'>16</span> </span> </div> <div class='post' itemprop='text'> <p>It sounds like what you want is: humans are not allowed to type new ‘yanked-thing==1.0’ requirements, but if a human typed it a while ago and now it’s just a computer continuing to mechanically follow orders, then that’s allowed.</p> <p>Unfortunately, I don’t think that’s something we can reliably distinguish. You could have an old unmaintained Dockerfile that says ‘RUN pip install yanked-thing==1.0’, and you could have a requirements.txt that someone typed a few seconds ago.</p> <p>Maybe the closest you can get would be for pip to print a warning when installing a yanked version? That way if a human did type it, they’ll see it, and if it’s a computer, they’ll ignore it.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="1" /> <span class='post-likes'>1 Like</span> </div> </div> <div id='post_17' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/xafer'><span itemprop='name'>xafer</span></a> (Xavier Fernandez) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-09T20:55:20Z' class='post-time'> May 9, 2019, 8:55pm </time> <meta itemprop='dateModified' content='2019-05-09T20:55:20Z'> <span itemprop='position'>17</span> </span> </div> <div class='post' itemprop='text'> <aside class="quote group-committers" data-username="njs" data-post="16" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/njs/48/204_2.png" class="avatar"> njs:</div> <blockquote> <p>Maybe the closest you can get would be for pip to print a warning when installing a yanked version? That way if a human did type it, they’ll see it, and if it’s a computer, they’ll ignore it.</p> </blockquote> </aside> <p>I like that <img src="https://emoji.discourse-cdn.com/apple/slight_smile.png?v=12" title=":slight_smile:" class="emoji" alt=":slight_smile:" loading="lazy" width="20" height="20"></p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_18' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/dstufft'><span itemprop='name'>dstufft</span></a> (Donald Stufft) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-09T21:01:56Z' class='post-time'> May 9, 2019, 9:01pm </time> <meta itemprop='dateModified' content='2019-05-09T21:01:56Z'> <span itemprop='position'>18</span> </span> </div> <div class='post' itemprop='text'> <aside class="quote group-committers" data-username="njs" data-post="16" data-topic="1629"> <div class="title"> <div class="quote-controls"></div> <img loading="lazy" alt="" width="24" height="24" src="https://sea2.discourse-cdn.com/flex016/user_avatar/discuss.python.org/njs/48/204_2.png" class="avatar"> njs:</div> <blockquote> <p>It sounds like what you want is: humans are not allowed to type new ‘yanked-thing==1.0’ requirements, but if a human typed it a while ago and now it’s just a computer continuing to mechanically follow orders, then that’s allowed.</p> <p>Unfortunately, I don’t think that’s something we can reliably distinguish. You could have an old unmaintained Dockerfile that says ‘RUN pip install yanked-thing==1.0’, and you could have a requirements.txt that someone typed a few seconds ago.</p> </blockquote> </aside> <p>Yea that’s roughly it. The pip case is the hardest case I think. Tools like pipenv, poetry, even pip-tools has it easier because they can just support yanked files only from lock files. It might be the case that a warning in pip is the best we can do given how pip works.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="1" /> <span class='post-likes'>1 Like</span> </div> </div> <div id='post_19' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/pradyunsg'><span itemprop='name'>pradyunsg</span></a> (Pradyun Gedam) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-10T10:26:04Z' class='post-time'> May 10, 2019, 10:26am </time> <meta itemprop='dateModified' content='2019-05-10T10:26:04Z'> <span itemprop='position'>19</span> </span> </div> <div class='post' itemprop='text'> <p>The PEP looks good to me in its current form.</p> <p>pip printing a warning when using a pinned yanked release, sounds right to me.</p> <hr> <p>I think we should take this opportunity to move the simple repository API spec to <a href="http://packaging.python.org" rel="nofollow noopener">packaging.python.org</a>, like we’ve been doing for so many others.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="1" /> <span class='post-likes'>1 Like</span> </div> </div> <div id='post_20' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.python.org/u/bernatgabor'><span itemprop='name'>bernatgabor</span></a> (Bernát Gábor) </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2019-05-10T10:44:12Z' class='post-time'> May 10, 2019, 10:44am </time> <meta itemprop='dateModified' content='2019-05-10T10:44:12Z'> <span itemprop='position'>20</span> </span> </div> <div class='post' itemprop='text'> <p>I agree with <a class="mention" href="/u/pradyunsg">@pradyunsg</a> on this one. Great work on this everyone!</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> </div> <div role='navigation' itemscope itemtype='http://schema.org/SiteNavigationElement' class="topic-body crawler-post"> <span itemprop='name'><b><a rel="next" itemprop="url" href="/t/pep-592-support-for-yanked-files-in-the-simple-repository-api/1629?page=2">next page →</a></b></span> </div> </div> <footer class="container wrap"> <nav class='crawler-nav'> <ul> <li itemscope itemtype='http://schema.org/SiteNavigationElement'> <span itemprop='name'> <a href='/' itemprop="url">Home </a> </span> </li> <li itemscope itemtype='http://schema.org/SiteNavigationElement'> <span itemprop='name'> <a href='/categories' itemprop="url">Categories </a> </span> </li> <li itemscope itemtype='http://schema.org/SiteNavigationElement'> <span itemprop='name'> <a href='/guidelines' itemprop="url">Guidelines </a> </span> </li> <li itemscope itemtype='http://schema.org/SiteNavigationElement'> <span itemprop='name'> <a href='/tos' itemprop="url">Terms of Service </a> </span> </li> <li itemscope itemtype='http://schema.org/SiteNavigationElement'> <span itemprop='name'> <a href='/privacy' itemprop="url">Privacy Policy </a> </span> </li> </ul> </nav> <p class='powered-by-link'>Powered by <a href="https://www.discourse.org">Discourse</a>, best viewed with JavaScript enabled</p> </footer> <div class="buorg"><div>Unfortunately, <a href="https://www.discourse.org/faq/#browser">your browser is unsupported</a>. Please <a href="https://browsehappy.com">switch to a supported browser</a> to view rich content, log in and reply.</div></div> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10