On 5/4/15, 18:13, "Thomas Goirand" <z...@debian.org> wrote:
>On 05/05/2015 12:15 AM, Ian Cordasco wrote: >> For what it’s worth Thomas and Maxime, removing the old versions from >>PyPI >> is likely to be a bad idea. > >Probably, but it's legally wrong (ie: worst case, you can be sued) to >leave a package which is in direct violation of the license of things it >contains. Note: I didn’t say it was legally correct. Please don’t put words in my mouth Thomas. You do this frequently. > >> An increasing number of deployers have stopped >> relying on system packages and install either from source or from PyPI. >>If >> they’re creating frozen lists of dependencies, you *will* break them. > >I don't think we have a choice here. Or do you want to push Maxime to >take the legal risks? I wouldn't do that... > >Anyway, here, we're talking about xstatic-angular-bootstrap, and I it's >safe to say that nothing else but horizon depends on it. So we should be >fine. Have you analyzed all of the dependencies on PyPI? Are you sure Storyboard doesn’t depend on it? Horizon may be the only project *you* know of that depends on it. I don’t think, you, Maxime, or I can know that for certain. Even so, Horizon is deployed in many places, and given the reliability of system packages, it’s increasingly deployed from source. > >> While I agree that those distributions are violating the license, I >>think >> it is a mistake that no one believes is malicious and which no one will >> actually chase after you for. > >Are you a lawyer? Do you have a special connection with people from >bootstrap and angular, and they told you so? Again with trying to put words in my mouth Thomas. > >> If you’re very concerned about it, you can >> create updated releases of all of those packages (for PyPI). > >Even if you aren't concerned, please do create an updated release on >PyPi so that it can be uploaded to Debian. > >> If you have >> version 1.2.3, you can release version 1.2.3.post1 to indicate that the >> source code itself didn’t exactly change but some metadata was added or >> fixed. Pip should, then if I recall correctly, select 1.2.3.post1 over >> 1.2.3. > >There's no need to do this, there's already 4 digits in XStatic >packages. Just increasing the ultra-micro (ie: the last digit) in the >version number is fine. I fail to see why one would need to >over-engineer this with a .post1 suffix. I suppose if you used pip, you’d understand why the .post1 suffix is necessary, but you don’t care about anything other than how this affects your packages, do you? __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
