On 05/05/2015 12:15 AM, Ian Cordasco wrote:
For what it’s worth Thomas and Maxime, removing the old versions from PyPI is likely to be a bad idea.
Probably, but it's legally wrong (ie: worst case, you can be sued) to leave a package which is in direct violation of the license of things it contains.
An increasing number of deployers have stopped relying on system packages and install either from source or from PyPI. If they’re creating frozen lists of dependencies, you *will* break them.
I don't think we have a choice here. Or do you want to push Maxime to take the legal risks? I wouldn't do that...
Anyway, here, we're talking about xstatic-angular-bootstrap, and I it's safe to say that nothing else but horizon depends on it. So we should be fine.
While I agree that those distributions are violating the license, I think it is a mistake that no one believes is malicious and which no one will actually chase after you for.
Are you a lawyer? Do you have a special connection with people from bootstrap and angular, and they told you so?
If you’re very concerned about it, you can create updated releases of all of those packages (for PyPI).
Even if you aren't concerned, please do create an updated release on PyPi so that it can be uploaded to Debian.
If you have version 1.2.3, you can release version 1.2.3.post1 to indicate that the source code itself didn’t exactly change but some metadata was added or fixed. Pip should, then if I recall correctly, select 1.2.3.post1 over 1.2.3.
There's no need to do this, there's already 4 digits in XStatic packages. Just increasing the ultra-micro (ie: the last digit) in the version number is fine. I fail to see why one would need to over-engineer this with a .post1 suffix.
Cheers, Thomas Goirand (zigo) __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
