Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

`trollius` has been removed from PyPI; ZEO cannot be installed on 2.7 #146

Open
jamadden opened this issue Jul 29, 2019 · 17 comments

Comments

@jamadden
Copy link
Member

commented Jul 29, 2019

That means ZEO can no longer be installed on Python 2.7:

Collecting trollius; python_version == "2.7" (from ZEO>=5.2->RelStorage==3.0a6.dev0)
  ERROR: Could not find a version that satisfies the requirement trollius; python_version == "2.7" (from ZEO>=5.2->RelStorage==3.0a6.dev0) (from versions: none)
ERROR: No matching distribution found for trollius; python_version == "2.7" (from ZEO>=5.2->RelStorage==3.0a6.dev0)

Command exited with code 1

It should be noted that Plone 5.2 depends on trollius 2.2, and Plone 5.1 depends on 2.1.

Luckily I had some pre-built wheels of 2.2 that I re-uploaded which might solve the problem in some cases (it seemed to fix my CI), but I cannot upload the trollius-2.2.tar.gz file (because that name had already been used).

Perhaps we can coordinate with @vstinner to find a happy resolution.

@vstinner

This comment has been minimized.

Copy link

commented Jul 29, 2019

I suggest you to vendor a copy of trollius and maintain it ;-) Or take the ownership of the project. I don't want to maintain it anymore: it's deprecated since 2016.

@jensens

This comment has been minimized.

Copy link
Contributor

commented Jul 29, 2019

Removing packages from PyPI is IMO one of the very evil things one can do (coders POV). Like to poke the anthill.

Thanks @jamadden ❤️ for taking over the work to restore it for all us poor folks with installations using it. Transition to Zope 4 takes a while with large projects.

@zopyx

This comment has been minimized.

Copy link
Member

commented Jul 29, 2019

Release

Removing packages from PyPI is IMO one of the very evil things one can do (coders POV). Like to poke the anthill.

Released is released.

@mgedmin

This comment has been minimized.

Copy link
Member

commented Jul 29, 2019

I think removing a package from PyPI is fine under some circumstances: if the package is unsafe (e.g. contains a security vulnerability, or wipes your hard drive due to a bug in the install script, etc.)

@jamadden: I think you'll have to upload a trollius-2.2.post1.tar.gz. I've never done so before, so I don't know if it's sufficient to rename the filename (probably not), or if you have to do a whole new release.

Might be a good idea to do a release anyway, to change the maintainer metadata in setup.py. Also, I have an open PR against trollius that adds a working Appveyor config for building and uploading Windows binary wheels, you may want to merge that one before cutting out a 2.2.1 release. (I assume you've got GitHub access too -- I see you're already the maintainer on PyPI. Or if not, you can fork it and change the URL in setup.py.)

@mgedmin

This comment has been minimized.

Copy link
Member

commented Jul 29, 2019

BTW I have Trollius 2.2 binary Windows wheels available at https://debesis.gedmin.as/wheels/, if you want to upload those in the meantime.

@webknjaz

This comment has been minimized.

Copy link

commented Jul 29, 2019

I think you'll have to upload a trollius-2.2.post1.tar.gz

FTR you should probably use .post1 for both wheels and sdist. Just because pip will pick up the latest one and will end up only seeing sdist because of missing wheels for this version.

@jamadden

This comment has been minimized.

Copy link
Member Author

commented Jul 29, 2019

I've updated metadata (to further emphasize the lack of support) and included the PR to build Windows wheels (partly; the test dependencies are no longer available either, so we cannot actually test it anymore) and published 2.2.post1 as sdist and Windows wheels. RelStorage, at least, picked it up seamlessly and is building fine.

I'd like to offer a huge thank-you to @vstinner for maintaining trollius this far, and for being so gracious in letting us republish it for the sake of our existing dependents. Please let me know if there's anything more that should be changed.

I do not plan to do any sort of maintenance on this. (I already maintain one async library; that's more than enough 😄 ) If someone else is motivated to make improvements, or if we think the repo should be somewhere else (zopefoundation?) I'm happy to turn over the keys (I've already invited a few people to be collaborators on both the project and the repo, just to improve the bus factor).

@tseaver

This comment has been minimized.

Copy link
Member

commented Jul 29, 2019

@vstinner

I suggest you to vendor a copy of trollius and maintain it ;-) Or take the ownership of the project. I don't want to maintain it anymore: it's deprecated since 2016.

Removing a deprecated project because you don't want to maintain it is definitely an unfriendly act to the community (as opposed to force majeur). There is a Trove classifier for such projects (Development Status :: 7 - Inactive, so the reasonable thing to do would be to make a final release with that classifier, with prominent notes in the readme / long description.

@vstinner

This comment has been minimized.

Copy link

commented Jul 29, 2019

Trollius is deprecated since its version 2.1 released in 2016. It's well documented in its documentation:

and in the README file: https://github.com/vstinner/trollius/blob/trollius/README.rst

I even modified "python2 setup.py" to emit a big warning: https://github.com/vstinner/trollius/blob/trollius/setup.py#L86

You had 3 years to prepare your project: take over the maintenance of Trollius or switch to a different solution.

Remember that it's an open source software distributed under the Apache license which says "... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND".

By the way, the README file also says "No Maintenance Intended": http://unmaintained.tech/

I made this Trollius project for fun, it's not my job, so I don't see why I would owe anything to the community. So I just ignore people telling me how I should have handle the end of life of this project. Please go ahead and maintain the project if you know how to handle it :-)

@vstinner

This comment has been minimized.

Copy link

commented Jul 29, 2019

I'm still open to transfer the ownership to whoever wants to maintain Trollius. But I don't want to maintain it anymore, as explained previously :-)

@zopyx

This comment has been minimized.

Copy link
Member

commented Jul 30, 2019

Rele

Trollius is deprecated since its version 2.1 released in 2016. It's well documented in its documentation:

and in the README file: https://github.com/vstinner/trollius/blob/trollius/README.rst

I even modified "python2 setup.py" to emit a big warning: https://github.com/vstinner/trollius/blob/trollius/setup.py#L86

You had 3 years to prepare your project: take over the maintenance of Trollius or switch to a different solution.

Remember that it's an open source software distributed under the Apache license which says "... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND".

By the way, the README file also says "No Maintenance Intended": http://unmaintained.tech/

I made this Trollius project for fun, it's not my job, so I don't see why I would owe anything to the community. So I just ignore people telling me how I should have handle the end of life of this project. Please go ahead and maintain the project if you know how to handle it :-)

Released is released.

Do you (at Redhat) remove unmaintained packages from old distributions?

What an absurd and arrogant and ignorant argumentation chain.

@gotcha

This comment has been minimized.

Copy link
Member

commented Jul 30, 2019

By the way, the README file also says "No Maintenance Intended": http://unmaintained.tech/

I made this Trollius project for fun, it's not my job, so I don't see why I would owe anything to the community. So I just ignore people telling me how I should have handle the end of life of this project. Please go ahead and maintain the project if you know how to handle it :-)

@vstinner It is definitely your right to stop maintaining a package.

More importantly, the thanks from @jamadden for your previous work are definitely deserved (I am adding my thanks) !

However, removing packages from PyPI should be a no go except for the reasons pointed by @mgedmin .

@vstinner

This comment has been minimized.

Copy link

commented Jul 30, 2019

Different people asked me why I decided to remove the project from PyPI rather than doing nothing.

Maintaining a project is a non-zero cost. Different people disagree with me on this point, but I don't want to elaborate (they are enough articles on this topic on the Internet).

I removed Trollius from PyPI to send a strong signal: I don't want to maintain this project anymore, the project is looking for a new maintainer. I don't want to be responsible of a project with open issues and open pull requests. As I explained previously, I already tried soft approaches (deprecation, "no maintenance intended", etc.) previously to find a new maintainer, but they didn't work.

Republishing Trollius on PyPI is trivial: @jamadden already did it. But it doesn't solve the maintenance problem. My long term plan is to remove https://github.com/vstinner/trollius. But I don't plan to do it soon, since I know that it would cause even more trouble. I would prefer to transfer the project to ensure that the project remains available somehow.

If your business rely on Trollius, well, simply take the maintenance of Trollius. So you will be able to estimate the maintenance cost. Good for you if it's a zero cost ;-) The project has 7 open issues and 2 open pull requests.

So far, nobody offered me to take the maintenance of the project. @jamadden wrote: "I do not plan to do any sort of maintenance on this".


Note: I am not paid by Red Hat to maintain Trollius, it was a side-project that I was maintaining in my free time. Professional support is not free. You cannot expect the same service level from a free project.

@gotcha

This comment has been minimized.

Copy link
Member

commented Jul 30, 2019

@vstinner If I understand well what you explain hereabove, removing the project from PyPI is a stronger way of stating that you do not plan to maintain that code anymore.

Are you getting hassled to fix the open issues ? Or feeling too responsible to ignore them ?

Maintenance (or no maintenance) as well as the process around zombie projects is an important question for the OS community.

I hope this does not sound unfriendly.

@webknjaz

This comment has been minimized.

Copy link

commented Jul 30, 2019

FYI the dists are still somewhere on the CDN: pypa/warehouse#6319 (comment)

Here's a few pointers for whom it may concern.

You might be able to recover all original dists from there. Here's the explanation.
Long story short, use https://files.pythonhosted.org/packages/{python_version}/{project_l}/{project_name}/{filename}

Example:
https://files.pythonhosted.org/packages/source/t/trollius/trollius-2.2.tar.gz
(redirects to https://files.pythonhosted.org/packages/98/47/000d403a209e5d0c2753feabd3bbbd09a11e32652899abffc1ef5d5c0abb/trollius-2.2.tar.gz) serves the original file.

@mauritsvanrees

This comment has been minimized.

Copy link
Member

commented Aug 5, 2019

Apparently, in the future it should be possible to 'yank' a file or a project from PyPI, so the version will not be installed by default, but is available if you explicitly want it. See the recently accepted PEP 592. If I understand correctly, nothing has been done on PYPI yet, but it should be possible at some point.

Latest pip supports it: yanked releases will have an html class and they will be ignored by pip, unless explicitly allowed with an extra option. Buildout (which most ZEO users will be using I think) and other tools can still find the yanked releases if they explicitly ask for such a version.

So it should be better for everyone in a while.

@nedbat

This comment has been minimized.

Copy link

commented Aug 6, 2019

"I didn't want to maintain it any more" is different than, "I am going to delete all the existing releases." This was uncalled for.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
10 participants
You can’t perform that action at this time.