|
Size: 4000
Comment:
|
Size: 4840
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 21: | Line 21: |
| distutils and placed into a new package that would also provide the protocol | distutils and placed into a new package that would also describe the protocol |
| Line 25: | Line 25: |
| interacting with the user when the .pypirc file is created, and they implement an authentication mecanism that push the user login and password values into the HTTP requests. This is done by picking a clear text password in .pypirc and pushing it into the request. So users have to call a very precise sequence of command in order to upload or even upgrade their packages. |
interacting with the user when the .pypirc file is created, and they implement an authentication mecanism that push the user login and password values into the HTTP request. This is done by reading a clear text password in .pypirc. |
| Line 32: | Line 30: |
| Let's improve all of this ! Let the user be able to use better password handling if he wishes, using hashes for instance. Let the user control that his long_description compiles in reST for example. |
The users have to call a very precise sequence of commandw with setup.py in order to upload or even upgrade their packages. |
| Line 36: | Line 33: |
| Let's define clearly in this new package what is the PyPI protocol. This would let anyone implement this protocol for the |
Let's improve all of this by: * improving password handling * improving metadata controls * providing a command line utility, independantly from setup.py * clearly describe the PyPI protocol The last point would let anyone implement this protocol for the |
| Line 40: | Line 43: |
| A first refactoring was made a few months ago to allow users to handle several PyPI logins and servers in .pypirc (http://bugs.python.org/issue1858) and the code responsible for .pypirc managment and for handling the registering and the upload was isolated. But this is a first step. |
== Improving password handling == |
| Line 45: | Line 45: |
| == Features the pypi module should bring == | Currently, the password is in clear text. Let's add a new variable in the .pypirc file that would let the user define what kind of hash he wants to use, from: |
| Line 47: | Line 48: |
| * the same feature distutils's register and upload does * better password handling, with hash capabilities * better metadata controls, for instance: * make sure the long_description compiles if it was written in reST |
* clear * md5 * sha1 By default the password would be in clear text, but this could be configured in pypirc for each password with a prefix to the password value when it is not in clear text. {{{ [distutils] ... [pypi] user=tarek password=sha1:Xfsg434 ... }}} A default value could be defined in the main section {{{ [distutils] ... default-hash=sah1 ... }}} And the command-line utility describe later in this PEP could use it to interact with the user if he wants to change his password. == Improving metadata controls == When a package is uploaded at PyPI, there are several things that can be done on the client-side in order to control it. * make sure the long_description compiles if it is written in reST |
| Line 53: | Line 87: |
| * browsing capabilities using PyPI XML-RPC features * an abstract definition of PyPI server |
|
| Line 56: | Line 88: |
| == What ? == | A new variable in .pypirc can be added in order to block a registration or an upload if the metadata does not meet the minimum requirements: {{{ [distutils] ... strict-verification=true ... }}} From there, the command line utility will be able to decide if it should continue or not. == Providing a command line utility, independantly from setup.py == |
| Line 92: | Line 137: |
| Browsing capabilities using PyPI XML-RPC features : XXX == Clearly describe the PyPI protocol == XXX TBD |
|
| Line 93: | Line 145: |
A first refactoring was made a few months ago to allow users to handle several PyPI logins and servers in .pypirc (http://bugs.python.org/issue1858) and the code responsible for .pypirc managment and for handling the registering and the upload were isolated. |
|
| Line 105: | Line 162: |
Then the new described features could be added there. == Detailed description == XXX Will be done if people like the idea |
Create a new package in python called pypi
- PEP: 373
- Title: Create a new package in python called pypi
- Author: Tarek Ziadé
- Discussions-To: Distutils SIG
- Status: Draft
- Python-Version: 2.6
Abstract
This PEP describes how the commands that are used to register and upload a package to PyPI can be extracted from distutils and put in a new independant package in Python called pypi, that would also describe the PyPI protocol.
Motivation
distutils is responsible for too many things, and the register and upload commands are completely standalone. In other words they can be extracted from distutils and placed into a new package that would also describe the protocol used by the PyPI server.
Secondly, there are a lot interactions in those two commands. They are interacting with the user when the .pypirc file is created, and they implement an authentication mecanism that push the user login and password values into the HTTP request. This is done by reading a clear text password in .pypirc.
The users have to call a very precise sequence of commandw with setup.py in order to upload or even upgrade their packages.
Let's improve all of this by:
- improving password handling
- improving metadata controls
- providing a command line utility, independantly from setup.py
- clearly describe the PyPI protocol
The last point would let anyone implement this protocol for the client-side or the server-side, by using this package as a base.
Improving password handling
Currently, the password is in clear text. Let's add a new variable in the .pypirc file that would let the user define what kind of hash he wants to use, from:
- clear
- md5
- sha1
By default the password would be in clear text, but this could be configured in pypirc for each password with a prefix to the password value when it is not in clear text.
[distutils] ... [pypi] user=tarek password=sha1:Xfsg434 ...
A default value could be defined in the main section
[distutils] ... default-hash=sah1 ...
And the command-line utility describe later in this PEP could use it to interact with the user if he wants to change his password.
Improving metadata controls
When a package is uploaded at PyPI, there are several things that can be done on the client-side in order to control it.
- make sure the long_description compiles if it is written in reST
- make sure the author_email is the same that the email of the PyPI account in usage
A new variable in .pypirc can be added in order to block a registration or an upload if the metadata does not meet the minimum requirements:
[distutils] ... strict-verification=true ...
From there, the command line utility will be able to decide if it should continue or not.
Providing a command line utility, independantly from setup.py
Let's drop the setup.py command line to register and upload a package. The pypi module can handle this as long as the package is pointed. A high-level script can be provided in the Scripts/ folder of Python, and a developer can use it to control, register or upload a package.
Here's a example
$ cd my.package
$ pypi check
Checking metadata...
Warning : The 'url' metadata is missing
Warning: The long_description seem to be in reStructuredText,
but does not compile
$ pypi register -r tarek
Registering the package using "tarek" account in .pypirc
...
Registered !
$ pypi upload
What kind of release do you want to upload ?
Available releases:
sdist Source release
bdist Binary release
....
Type the desired released, separated by a space [sdist] : _The pypi command could also let you browse PyPI, like the Yolk project does (see http://pypi.python.org/pypi/yolk)
Browsing capabilities using PyPI XML-RPC features : XXX
Clearly describe the PyPI protocol
XXX TBD
How ?
A first refactoring was made a few months ago to allow users to handle several PyPI logins and servers in .pypirc (http://bugs.python.org/issue1858) and the code responsible for .pypirc managment and for handling the registering and the upload were isolated.
The first action would be to create a new package called pypi and to copy the code from distutils, in order to make it work on its own.
The files to use are:
- distutils/config.py : the base class that handles .pypirc
- distutils/commands/register.py : the command that registers a package
- distutils/commands/upload.py : the command that uploads a package
We can add deprecated flags into distutils, just to warn people to use the new module instead.