Open Stack

On 05/05/2015 12:15 AM, Ian Cordasco wrote:
> For what it’s worth Thomas and Maxime, removing the old versions from PyPI
> is likely to be a bad idea.

Probably, but it's legally wrong (ie: worst case, you can be sued) to 
leave a package which is in direct violation of the license of things it 
contains.

> An increasing number of deployers have stopped
> relying on system packages and install either from source or from PyPI. If
> they’re creating frozen lists of dependencies, you *will* break them.

I don't think we have a choice here. Or do you want to push Maxime to 
take the legal risks? I wouldn't do that...

Anyway, here, we're talking about xstatic-angular-bootstrap, and I it's 
safe to say that nothing else but horizon depends on it. So we should be 
fine.

> While I agree that those distributions are violating the license, I think
> it is a mistake that no one believes is malicious and which no one will
> actually chase after you for.

Are you a lawyer? Do you have a special connection with people from 
bootstrap and angular, and they told you so?

> If you’re very concerned about it, you can
> create updated releases of all of those packages (for PyPI).

Even if you aren't concerned, please do create an updated release on 
PyPi so that it can be uploaded to Debian.

> If you have
> version 1.2.3, you can release version 1.2.3.post1 to indicate that the
> source code itself didn’t exactly change but some metadata was added or
> fixed. Pip should, then if I recall correctly, select 1.2.3.post1 over
> 1.2.3.

There's no need to do this, there's already 4 digits in XStatic 
packages. Just increasing the ultra-micro (ie: the last digit) in the 
version number is fine. I fail to see why one would need to 
over-engineer this with a .post1 suffix.

Cheers,

Thomas Goirand (zigo)