[Zope3-dev] Re: Known working sets II [was: Eggification redux]

Tres Seaver tseaver at palladion.com
Fri Sep 28 11:10:00 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martijn Faassen wrote:

> On 9/28/07, Tres Seaver <tseaver at palladion.com> wrote:
> [snip]
>> Total effort involved in maintaining the "gated community" then becomes
>> keeping a set of tarballs available at some web-downloadable location,
>> and re-running the script after adding / removing them to regenerate
>> the index.
> 
> How many of these communities are you going to need? Why can't you
> simply maintain a list of exact versions with version numbers to pull
> from the cheeseshop instead?

Because you can't trust that packages will not get removed, or even
re-released under the same version number, on PyPI:  not everybody has
the same "package hygeine" ethos.

> This is already possible with the
> versions feature of buildout. I want something where I can maintain
> these lists better for frameworks inside packages, but if you're just
> going to make lists of packages in the end, why mirror? Is this
> because you're using easy_install and you can't use the versions
> feature? Is it because you don't use buildout?

I've been using buildout and its precursors for *years*, and I still
have my "repeatable" builds break on occoasion, e.g.:

 - The Postgres guys decide to yank an older package version from
   their servers because they've released a newerone.

 - Somebody does "repository surgery" in a way which breaks my checkout
   (e.g., because Subversion checks the revision number *after*
   traversal rather than before).

 - Somebody uploads a "fixed" tarball of a relase without bumping
   the version number.

In the end, if you want predictable / repeatable deployment, you have to
mirror the sources.  The fact that easy_install's '--index-url' feature
makes such a mirror convenient is just a bonus.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG/RlI+gerLs4ltQ4RAjEJAKDTokuKZSiLaJbHKhyQ+wOBvZHpnwCgz8rt
wF5HH7htyMh/+VVyTeTpSQ4=
=crEB
-----END PGP SIGNATURE-----

More information about the Zope3-dev mailing list