Hi Dima, I believe I'm the person who introduced that long standing policy. It was indeed motivated by a significant paying customer's requirement to install Sage entirely from source, and without an external network. I believe no such customers have supported the Sage project for about a decade, so I'm very supportive of removing this policy.
It's possible to install pip packages without an internet connection, and it's also more likely that popular published pip packages are being scanned for vulnerabilities regularly, than it is that a vendored version of that same package in the sage source distro is being scanned. I hope you do bring this to a vote, and feel free to copy my above statement of support. I also strongly agree with Matthias that a vote about pip installability may be considered separately from a vote to add these testing packages. -- William On Sat, Feb 10, 2024 at 4:09 PM Dima Pasechnik <dimp...@gmail.com> wrote: > > > > On 10 February 2024 23:40:59 GMT, Matthias Koeppe <matthiaskoe...@gmail.com> > wrote: > >On Saturday, February 10, 2024 at 2:56:57 PM UTC-8 Dima Pasechnik wrote: > > > >yes, make them standard, but keep them pip packages (i.e. no version > >pinning, no tarballs/checksums). > > > > > >By current policy, "standard" packages cannot be "pip" packages. This is > >documented in > >https://deploy-livedoc--sagemath.netlify.app/html/en/developer/packaging#package-source-types > > > >I believe the reason is that it would conflict with the longstanding > >practice of the project to ship Sage releases in the form of a > >self-contained source tarball, from which Sage can be installed in an > >environment without network access. > > It's long overdue to revise this policy. > If someone wants to use Sage in a 3-letter agency-like environment, we need > not facilitate this admittedly rare scenario, we are not in spyware tools > business after all. > > Besides, it is hard to create an installation medium with all the necessary > extra packages on it, e.g. by downloading these missing wheels while running > "make dist" (or whatever is used to create these tarballs) > > How about we initiate a vote on letting standard packages be pip packages? > > > > > > > >I will note that I personally never use these tarballs (nor have I > >recommended to anyone to use them), but historically it has been the > >expectation of the community. See for example the 2016 sage-devel thread > >https://groups.google.com/g/sage-devel/c/C7-ho1zvEYU/m/Ep8i-cbHAgAJ on a > >similar topic. > > > >So for the purpose of the present poll, let us assume that the packages > >would be added as standard "wheel" packages. > > > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/sage-devel/764854CA-8AFD-4FB2-8A51-42F58BDE5D31%40gmail.com. -- William (http://wstein.org) -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/CACLE5GCmsdQ5tgDk5%2BoP%3DZWYeCTOKMXWpkOp3QsP9WuXZ5D-VA%40mail.gmail.com.
