carljm/gist:5145378

## gistfile1.txt
It seems to me that there's a remarkable level of consensus developing
here (though it may not look like it), and a small set of remaining open
questions.

The consensus (as I see it):

- Migrate away from scraping external HTML pages, with package owners in
control of the migration but a deadline for a forced switch, as outlined
in Holger's PEP (with all appropriate caution and testing).

- In some way, migrate to a situation where the popular installer tools
install only release files from PyPI by default, but are capable of
installing from other locations if the user provides an option.

The open question is basically how to implement the latter portion. I
see two options proposed:

A) Leave external links in the PyPI simple index, but migrate the major
tools to not use external links by default (i.e. Philip's plan to make
allow-hosts=pypi the default in a future setuptools), with an option to
turn them back on.

or

B) Do a second PyPI migration, again with a per-package toggle and
package owners in control, to a "no external links in simple index" setting.

Consider for a moment how similar the end state here is with either A or
B. In either case, by default users install only from PyPI, but by
providing a special option they can install from some external source.
(In B, that special option would be something like --find-links with a
URL). In either case, we can continue to allow packages to register
themselves on PyPI, be found in searches, etc, without uploading release
files to PyPI if they prefer not to; they'll just have to provide
special installation instructions to their users in that case.

Here are some differences:

1) With B, we can provide a gentler migration for package owners, where
they are in control of when the switch happens. With A, regardless of
how it's done at some point some package owners are likely to start
getting "hey, i can't install your stuff anymore" reports from users,
and they can't control when that starts happening.

2) With B, all end users benefit from the new defaults, not only end
users who update to the latest and greatest tools.

3) With B (and probably some forms of A as well), end users clearly
state which external sources they would like to trust and install from,
rather than having a global "trust everything!" flag, which is less
secure and less sensible.

It seems to me that option B (a controlled, per-package, PyPI migration
to no-external-links in simple index) is a better migration path than A
(leaving it up to external tools), and the end result either way is very
similar.

Carl
	It seems to me that there's a remarkable level of consensus developing
	here (though it may not look like it), and a small set of remaining open
	questions.

	The consensus (as I see it):

	- Migrate away from scraping external HTML pages, with package owners in
	control of the migration but a deadline for a forced switch, as outlined
	in Holger's PEP (with all appropriate caution and testing).

	- In some way, migrate to a situation where the popular installer tools
	install only release files from PyPI by default, but are capable of
	installing from other locations if the user provides an option.

	The open question is basically how to implement the latter portion. I
	see two options proposed:

	A) Leave external links in the PyPI simple index, but migrate the major
	tools to not use external links by default (i.e. Philip's plan to make
	allow-hosts=pypi the default in a future setuptools), with an option to
	turn them back on.

	or

	B) Do a second PyPI migration, again with a per-package toggle and
	package owners in control, to a "no external links in simple index" setting.

	Consider for a moment how similar the end state here is with either A or
	B. In either case, by default users install only from PyPI, but by
	providing a special option they can install from some external source.
	(In B, that special option would be something like --find-links with a
	URL). In either case, we can continue to allow packages to register
	themselves on PyPI, be found in searches, etc, without uploading release
	files to PyPI if they prefer not to; they'll just have to provide
	special installation instructions to their users in that case.

	Here are some differences:

	1) With B, we can provide a gentler migration for package owners, where
	they are in control of when the switch happens. With A, regardless of
	how it's done at some point some package owners are likely to start
	getting "hey, i can't install your stuff anymore" reports from users,
	and they can't control when that starts happening.

	2) With B, all end users benefit from the new defaults, not only end
	users who update to the latest and greatest tools.

	3) With B (and probably some forms of A as well), end users clearly
	state which external sources they would like to trust and install from,
	rather than having a global "trust everything!" flag, which is less
	secure and less sensible.

	It seems to me that option B (a controlled, per-package, PyPI migration
	to no-external-links in simple index) is a better migration path than A
	(leaving it up to external tools), and the end result either way is very
	similar.

	Carl