I don’t think there’s a topic for this yet, so I thought I’d start one. One item from me.
Helping users to test PyPA tool releases before using them in production
We’ve had a few recent issues with new releases hitting users’ production CI and generating significant issues, with little or no warning. How do we avoid this? We already suggest that users test new releases before going live with them, but that’s hard for them to do. Some thoughts:
- Release beta versions/release candidates. But how do we get people to use them?
- A lot of the problem is likely due to the fact that workflows like tox, or
pip install, or
virtualenvpull in the latest version of all tools. It’s basically fairly difficult to pin versions on your production CI. What can we do to make the defaults less risky, and to make pinning the natural option, rather than a complicated choice that no-one bothers with until they’ve been thoroughly burned?
- Do tools like pip, setuptools, virtualenv, tox need to publish “known stable” versions? Can we do this without making continuous releases or calendar-based releases impossible? How does this impact the need to make newer functionality (like PEP 517, or TUF) available to users as quickly as possible?
- Do we need funded/commercial support for something like this? Volunteer-based release management shouldn’t be expected to provide 1-hour turnaround on fixes for release issues. No matter how many people use that project.