The index wants something for their own reasons, but for some reason considers it reasonable to demand the author do something they want instead of doing the thing they want themselves.
The author provides various ideas for how they could get what they want by doing it themselves or by organizing volunteers who choose to work on that.
It's like demanding a better man-page than the author supplied, instead of writing one or facilitating someone else who may be willing to work on documentation.
If you walk into my house and I ask you to take off your shoes, you can turn around and walk away. I am well within reason to make that demand - it's my house.
OK, I'll skip the obvious analogy. PyPI is a free, open source service. It hosts packages for distribution. When you go to PyPI you say "Hi, I would like to distribute software, can you do this?" and they say "Yes, you can do this for free. There's some terms of use, and we require 2FA."
You can say "Great, I accept all of that, thanks for providing distribution of my code for no monetary cost to me" or you can say "Ah, ok, thanks anyways but I would prefer not to accept that".
The more correct analogy of what it looks like in a few months is PyPI coming back to you after a while saying “this package we are hosting for free you can only update or delete if you now follow these new terms if use. If you don’t agree we take away your access but retain the package.”
You can't say that's more correct. That's a prediction about the future that's based on nothing, as far as I can tell. Does PyPI have a history of increasing, unwelcome restrictions?
I mean, of course you have to continuously accept terms of use changes as you publish to them. That is the same as anything else. To tack on a bit of additional conversation,
"Hi, I previously published v 0.1, I would now like to publish v 0.2"
"OK, cool, we have a new EULA if you want to publish 0.2"
"Great, no problem, signed and now I'll publish" / "Ah, I don't like those new terms, I'll publish elsewhere or not publish at all"
> You can't say that's more correct. That's a prediction about the future that's based on nothing, as far as I can tell.
The statement I made is based on what is currently communicated. The "terms" is purely "you need to use 2FA" (which just to be clear I already said I have no quarrels with). I cannot judge what will be the future requirements will be for critical packages. Donald Stufft from PyPI on Twitter said that he could imagine requiring signed releases (https://twitter.com/dstufft/status/1545503252871004161).
> I don't get the complication here.
Maybe there is none, maybe there is. The consequence however undoubtedly is that if you do not accept the terms you lose access to your package on PyPI.
> Maybe there is none, maybe there is. The consequence however undoubtedly is that if you do not accept the terms you lose access to your package on PyPI.
Right but I just don't get why this is notable or why anyone would ever be surprised by this, or why this would ever be controversial. I just can not wrap my head around this being framed as a complex issue when it seems so very straightforward.
It is indeed so very straighforward and not a complex issue, which begs the question why you might not be able to wrap your head around it. I call volition.
Federated / self-service responsibilities are the only way things like this ever scale. In your example, it makes sense the index wants to push the responsibility out broadly, there’s no way the index can develop the breadth and depth of expertise necessary to write high quality man pages for every package - they’re too busy using their limited resources on maintaining the index (their “vertical”).
So what? Too bad? No one else's problem? The reasons they want things vetted and attested was never contested. The fact it's a lot of work, is a given. And neither of those things explain why the author has to do it, necessarily. Maybe it's natural, maybe the author of a thing is generally the best positioned to attest and support their own output, but so what?
If they find the software valuable enough that it matters that it's verified and certified, and the supplier doesn't feel like doing it, they could do it themselves or arrange for others to to do it or delist the filthy uncertified package or just tag it as not certified. There are all kinds of options besides demanding a volunteer do something they didn't aldeady feel like doing voluntarily.
I don't get why everyone confuses the obligations here. Just because pypy wants something, no matter how understandable the reasons, doesn't change the fact that it's pypy who wants it, for their own reasons.
The author derives no value from it (not neccessarily, they may choose to value the credit and exposure of their work appearing in the index, but they also may not). Pypy derives value from it, and all of the users derive value from it.
The obligation for supplying that extra frosting they want on the cake lies with those who want it.
The index wants something for their own reasons, but for some reason considers it reasonable to demand the author do something they want instead of doing the thing they want themselves.
The author provides various ideas for how they could get what they want by doing it themselves or by organizing volunteers who choose to work on that.
It's like demanding a better man-page than the author supplied, instead of writing one or facilitating someone else who may be willing to work on documentation.