PEP: 527 Title: Removing Un(der)used file types/extensions on PyPI Version: $Revision$ Last-Modified: $Date$ Author: Donald Stufft BDFL-Delegate: Nick Coghlan Discussions-To: distutils-sig@python.org Status: Accepted Type: Process Content-Type: text/x-rst Created: 23-Aug-2016 Post-History: 23-Aug-2016 Resolution: https://mail.python.org/pipermail/distutils-sig/2016-September/029624.html Abstract ======== This PEP recommends deprecating, and ultimately removing, support for uploading certain unused or under used file types and extensions to PyPI. In particular it recommends disallowing further uploads of any files of the types ``bdist_dumb``, ``bdist_rpm``, ``bdist_dmg``, ``bdist_msi``, and ``bdist_wininst``, leaving PyPI to only accept new uploads of the ``sdist``, ``bdist_wheel``, and ``bdist_egg`` file types. In addition, this PEP proposes removing support for new uploads of sdists using the ``.tar``, ``.tar.bz2``, ``.tar.xz``, ``.tar.Z``, ``.tgz``, ``.tbz``, and any other extension besides ``.tar.gz`` and ``.zip``. Finally, this PEP also proposes limiting the number of allowed sdist uploads for each individual release of a project on PyPI to one instead of one for each allowed extension. Rationale ========= File Formats ------------ Currently PyPI supports the following file types: * ``sdist`` * ``bdist_wheel`` * ``bdist_egg`` * ``bdist_wininst`` * ``bdist_msi`` * ``bdist_dmg`` * ``bdist_rpm`` * ``bdist_dumb`` However, these different types of files have varying amounts of usefulness or general use in the ecosystem. Continuing to support them adds a maintenance burden on PyPI as well as tool authors and incurs a cost in both bandwidth and disk space not only on PyPI itself, but also on any mirrors of PyPI. Python packaging is a multi-level ecosystem where PyPI is primarily suited and used to distribute virtual environment compatible packages directly from their respective project owners. These packages are then consumed either directly by end-users, or by downstream distributors that take these packages and turn them into their respective system level packages (such as RPM, deb, MSI, etc). While PyPI itself only directly works with these Python specific but platform agnostic packages, we encourage community-driven and commercial conversions of these packages to downstream formats for particular target environments, like: * The conda cross-platform data analysis ecosystem (conda-forge) * The deb based Linux ecosystem (Debian, Ubuntu, etc) * The RPM based Linux ecosystem (Fedora, openSuSE, Mageia, etc) * The homebrew, MacPorts and fink ecosystems for Mac OS X * The Windows Package Management ecosystem (NuGet, Chocalatey, etc) * 3rd party creation of Windows MSIs and installers (e.g. Christoph Gohlke's work at http://www.lfd.uci.edu/~gohlke/pythonlibs/ ) * other commercial redistribution formats (ActiveState's PyPM, Enthought Canopy, etc) * other open source community redistribution formats (Nix, Gentoo, Arch, \*BSD, etc) It is the belief of this PEP that the entire ecosystem is best supported by keeping PyPI focused on the platform agnostic formats, where the limited amount of time by volunteers can be best used instead of spreading the available time out amongst several platforms. Further more, this PEP believes that the people best positioned to provide well integrated packages for a particular platform are people focused on that platform, and not across all possible platforms. bdist_dumb ~~~~~~~~~~ As it's name implies, ``bdist_dumb`` is not a very complex format, however it is so simple as to be worthless for actual usage. For instance, if you're using something like pyenv on macOS and you're building a library using Python 3.5, then ``bdist_dumb`` will produce a ``.tar.gz`` file named something like ``exampleproject-1.0.macosx-10.11-x86_64.tar.gz``. Right off the bat this file name is somewhat difficult to differentiate from an ``sdist`` since they both use the same file extension (and with the legacy pre PEP 440 versions, ``1.0-macosx-10.11-x86_64`` is a valid, although quite silly, version number). However, once you open up the created ``.tar.gz``, you'd find that there is no metadata inside that could be used for things like dependency discovery and in fact, it is quite simply a tarball containing hardcoded paths to wherever files would have been installed on the computer creating the ``bdist_dumb``. Going back to our pyenv on macOS example, this means that if I created it, it would contain files like: ``Users/dstufft/.pyenv/versions/3.5.2/lib/python3.5/site-packages/example.py`` bdist_rpm ~~~~~~~~~ The ``bdist_rpm`` format on PyPI allows people to upload ``.rpm`` files for end users to manually download by hand and then manually install by hand. However, the common usage of ``rpm`` is with a specially designed repository that allows automatic installation of dependencies, upgrades, etc which PyPI does not provide. Thus, it is a type of file that is barely being used on PyPI with only ~460 files of this type having been uploaded to PyPI (out a total of 662,544). In addition, services like `COPR `_ provide a better supported mechanism for publishing and using RPM files than we're ever likely to get on PyPI. bdist_dmg, bdist_msi, and bdist_wininst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The ``bdist_dmg``, ``bdist_msi``, and ``bdist_winist`` formats are similar in that they are an OS specific installer that will only install a library into an environment and are not designed for real user facing installs of applications (which would require things like bundling a Python interpreter and the like). Out of these three, the usage for ``bdist_dmg`` and ``bdist_msi`` is very low, with only ~500 ``bdist_msi`` files and ~50 ``bdist_dmg`` files having been uploaded to PyPI. The ``bdist_wininst`` format has more use, with ~14,000 files having ever been uploaded to PyPI. It's quite easy to look at the low usage of ``bdist_dmg`` and ``bdist_msi`` and conclude that removing them will be fairly low impact, however ``bdist_wininst`` has several orders of magnitude more usage. This is somewhat misleading though, because although it has more people *uploading* those files the actual usage of those uploaded files is fairly low. Taking a look at the previous 30 days, we can see that 90% of all downloads of ``bdist_winist`` files from PyPI were generated by the mirroring infrastructure and 7% of them were generated by setuptools (which can currently be better covered by ``bdist_egg`` files). Given the small number of files uploaded for ``bdist_dmg`` and ``bdist_msi`` and that ``bdist_wininst`` is largely existing to either consume bandwidth and disk space via the mirroring infrastructure *or* could be trivially replaced with ``bdist_egg``, this PEP proposes to include these three formats in the list of those to be disallowed. File Extensions --------------- Currently ``sdist`` supports a wide variety of file extensions like ``.tar.gz``, ``.tar``, ``.tar.bz2``, ``.tar.xz``, ``.zip``, ``.tar.Z``, ``.tgz``, and ``.tbz``. However, of those the only extensions which get anything more than negligable usage is ``.tar.gz`` with 444,338 sdists currently, ``.zip`` with 58,774 sdists currently, and ``.tar.bz2`` with 3,265 sdists currently. Having multiple formats accepted requires tooling both within PyPI and outside of PyPI to handle all of the various extensions that *might* be used (even if nobody is currently using them). This doesn't only affect PyPI, but ripples out throughout the ecosystem. In addition, the different formats all have different requirements for what optional C libraries Python was linked against and different requirements for what versions of Python they support. In addition, multiple formats also create a weird situation where there may be two ``sdist`` files for a particular project/release with subtly different content. It's easy to advocate that anything outside of ``.tar.gz``, ``.zip``, and ``.tar.bz2`` should be disallowed. Outside of a tiny handful, nobody has actively been uploading these other types of files in the ~15 years of PyPI's existence so they've obviously not been particularly useful. In addition, while ``.tar.xz`` is theoretically a nicer format than the other ``.tar.*`` formats due to the better compression ratio achieved by LZMA, it is only available in Python 3.3+ and has an optional dependency on the lzma C library. Looking at the three extensions we *do* have in current use, it's also fairly easy to conclude that ``.tar.bz2`` can be disallowed as well. It has a fairly small number of files ever uploaded with it and it requires an additional optional C library to handle the bzip2 compression. Finally we get down to ``.tar.gz`` and ``.zip``. Looking at the pure numbers for these two, we can see that ``.tar.gz`` is by far the most uploaded format, with 444,338 total uploaded compared to ``.zip``'s 58,774 and on POSIX operating systems ``.tar.gz`` is also the default produced by all currently released versions of Python and setuptools. In addition, these two file types both use the same C library (``zlib``) which is also required for ``bdist_wheel`` and ``bdist_egg``. The two wrinkles with deciding between ``.tar.gz`` and ``.zip`` is that while on POSIX operating systems ``.tar.gz`` is the default, on Windows ``.zip`` is the default and the ``bdist_wheel`` format also uses zip. Instead of trying to standardize on either ``.tar.gz`` or ``.zip``, this PEP proposes that we allow *either* ``.tar.gz`` or ``.zip`` for sdists. Limiting number of sdists per release ------------------------------------- A sdist on PyPI should be a single source of truth for a particular release of software. However, currently PyPI allows you to upload one sdist for each of the sdist file extensions it allows. Currently this allows something like 10 different sdists for a project, but even with this PEP it allows two different sources of truth for a single version. Having multiple sdists often times can account for strange bugs that only expose themselves based on which sdist that the person used. To resolve this, this PEP proposes to allow one, and only one, sdist per release of a project. Removal Process =============== This PEP does **NOT** propose removing any existing files from PyPI, only disallowing new ones from being uploaded. This restriction will be phased in on a per-project basis to allow projects to adjust to the new restrictions where applicable. First, any *existing* projects will be flagged to allow legacy file types to be uploaded, and any project without that flag (i.e. new projects) will not be able to upload anything but ``sdist`` with a ``.tar.gz`` or ``.zip`` extension, ``bdist_wheel``, and ``bdist_egg``. Then, any existing projects that have never uploaded a file that requires the legacy file type flag will have that flag removed, also making them fall under the new restrictions. Finally, an email will be generated to the maintainers of all projects still given the legacy flag, which will inform them of the upcoming new restrictions on uploads and tell them that these restrictions will be applied to future uploads to their projects starting in 1 month. Finally, after 1 month all projects will have the legacy file type flag removed, and support for uploading these types of files will cease to exist on PyPI. This plan should provide minimal disruption since it does not remove any existing files, and the types of files it does prevent from being uploaded are either not particularly useful (or used) types of files *or* they can continue to upload a similar type of file with a slight change to their process. Copyright ========= This document has been placed in the public domain. .. Local Variables: mode: indented-text indent-tabs-mode: nil sentence-end-double-space: t fill-column: 70 coding: utf-8 End: