| Well, speak of the devil and he doth appear! :) I looked at PEP 708. I was confused by what "repository" means. In PEP 503 "A repository that implements the simple API is defined by its base URL .... Within a repository, the root URL (/ for this PEP which represents the base URL) MUST be a valid HTML5 page with a single anchor element per project in the repository.". A repository contains projects - "individual project contained within a repository". PEP 708 seems to use "repository" to mean both that and individual project. Consider "To enable one repository to extend another, this PEP allows the extending repository to declare that it “tracks” another repository by adding the URL of the repository that it is extending." The examples show project with new entries tracking a project on another repository. This made it hard for me to understand what something like "repository owner" really means. > If I understand your uses well enough you should be able to add a line or two of HTML to your repository and not have any interruptions or warnings. I'm not sure it works, at least, not fully. I tell people to use: python -m pip install chemfp -i https://chemfp.com/packages/
This used to contain only one project, "chemfp".Now it also contains "click" and "tqdm" entries, copied verbatim from the respective PyPI project entries, because I recently added my first required install dependencies, and -i doesn't automatically fall back to PyPI. I use '-i' because I don't want installs to start using the old chemfp version on PyPI. (Why? I only distribute pre-compiled wheels for 'manylinux'. I didn't release Python 3.11 wheels until a few weeks ago. I don't want pip for 3.11 users, or on macOS, to find the source version and try to install them. And "We’ve spent 15+ years educating users that the ordering of repositories being specified is not meaningful, and they effectively have an undefined order." ;) I would prefer to not maintain copies of the click and tqdm project entries, as I need to remember to refresh them. I think with PEP 708 I can have a single <meta name="pypi:alternate-locations" content="https://pypi.org/simple/click/">
...
<body></body>
which will fix that pain point.However, the main issue I have is namesquatting is still too easy. If I started chemfp now, with no PyPI entry, then from my side nothing changes. But I've had people do "pip install chemfp" WITHOUT the -i option then ask what why it didn't work. I assume that's because people aren't used to using a -i (or configuring it in their requirements.txt) so aren't sensitive as to why it's important. Namesquatting a purely non-PyPI project then comes easy - register it on PyPI. PyPI is active about namesquatting, but you all surely don't track all small non-PyPI projects. What I would like is, I thought, pretty simple: python -m pip install chemfp.com:/package/chemfp/
with the ability to also specify a path like that in the requirements.That's considered in PEP 708 as possible ("To my knowledge the only systems that have managed to do this end up piggybacking off of the domain system and refer to packages by URLs with domains etc") but rejected ("our ability to retrofit that into our decades old system is practically zero without burning it all to the ground and starting over" ... "This would upend so many core assumptions ...") This means while some of my current issues will be assuaged with this PEP, my fundamental concern will not. |