On Thu, Jan 02, 2025 at 09:51:45AM +0100, Simon Josefsson wrote:
> Context: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091506#27
> 
> Helmut Grohne <hel...@subdivi.de> writes:
> 
> > Hi Simon,
> >
> > On Sat, Dec 28, 2024 at 10:33:28AM +0100, Simon Josefsson wrote:
> >> Thank you - I agree and hope to convince upstream PQconnect to pick
> >> build dependencies in a better way. This was a bit further down the
> >> dependency stack, but hopefully they can help anyway. They brought
> >> up a valid concern: prefer not to depend on things not on PyPI and I
> >> agree (of course, within reason).  It seems unshare is there:
> >> https://pypi.org/project/unshare/
> >
> > Everyone has their own kink. I ignore Python modules that are not in
> > Debian and others ignore Python modules not on PyPI.
> >
> > My reasons for ignoring PyPI:
> >  * It has a history of hosting malware.
> >  * It has a history of hosting low-quality modules (such as the one you
> >    are packaging).
> >  * It tends to have multiple competing modules for a usecase. Each of
> >    them has their own downsides and the good solution ends up not being
> >    uploaded to PyPI.
> >  * Modules come and go often only ever receiving a single upload and
> >    your dependency ends up becoming technical debt.
> >  * It has made uploading stuff harder and harder while simultaneously
> >    degrading security by stopping support for pgp signatures.
> >  * Accessing PyPI has become harder since it became "protected" by
> >    fastly.
> >  * Salvo Tomaselli gave a talk in Toulouse with more reasons.
> >
> > I no longer consider PyPI worth my time.
> 
> I am beginning the feel the same.
> 
> Is there anyone in the Debian Python team who feels PyPi is preferrable?

I think this conflates two mostly unrelated things and at least some of
the listed reasons are not applicable to your question.
And "I ignore Python modules that are not in Debian" solves everything
already.

-- 
WBR, wRAR

Attachment: signature.asc
Description: PGP signature

Reply via email to