warehouse icon indicating copy to clipboard operation
warehouse copied to clipboard

Published 20 hours ago verified publisher icon pypi

Deprecate TestPyPI After Period of Time

Open cmlh opened this issue 1 year ago • 3 comments

What's the problem this feature will solve? Removes confusion of incorrectly referring to an older release uploaded to TestPyPi when the intent was to refer to the current release on PyPi.

Describe the solution you'd like

  • Remove Python Packages from TestPyPi after a period of time.
  • TestPyPi alerts that a more recent Python Package is available on PyPi

Additional context

  • https://github.com/psf/requests/issues/6622
  • Decreases likelihood of a Software Supply Chain Attack.

cmlh avatar Jan 17 '24 02:01 cmlh

There's plenty of discussion about test.pypi.org on discuss.python.org. For example: https://discuss.python.org/t/test-pypi-org-is-marginally-unusable-if-my-explanation-is-correct/32830

The issue 'Draft release feature on main archive to allow testing a release before it goes live' would likely solve most of the problems with test pypi.

cofiem avatar Jan 17 '24 03:01 cofiem

Removes confusion of incorrectly referring to an older release uploaded to TestPyPi when the intent was to refer to the current release on PyPi.

Making sure I understand: is this happening in your environment because you're using TestPyPI as an extra package index in a production environment?

If so: please consider not doing that! TestPyPI is not a suitable production index: there is no guarantee that project foo on PyPI is controlled by the same people on TestPyPI (or even that every PyPI user has a TestPyPI account). TestPyPI's primary functions are (1) to give projects a way to smoke-test their uploads, and (2) provide a basic staging environment for features that are still feature-flagged on PyPI itself.

To my knowledge, there is no official documentation encouraging people to use TestPyPI in this way. But if you found a source that suggests doing this, please let me know and I'll try and get it fixed.

TL;DR: TestPyPI may be removed at some point in the future, but in the mean time: absolutely do not rely on it as a package index. It is not intended to be a stable source of Python packages, has no retention guarantees, and (most importantly) does not share the same namespace and accounts as PyPI.

woodruffw avatar Jan 18 '24 18:01 woodruffw

@woodruffw writes:

Making sure I understand: is this happening in your environment because you're using TestPyPI as an extra package index in a production environment?

It is not possible to specify an extra package index as --index-url https://pypi.python.org/simple/ was specified within requirements.txt as per https://caremad.io/posts/2013/07/setup-vs-requirement/ before I uploaded the Python Package to TestPyPi.

cmlh avatar Jan 18 '24 23:01 cmlh