PyPy has moved to Git, GitHub

&gt; Open Source has become synonymous with GitHub, and we are too small to change that.<p>It&#x27;s kind of sad that this is true.<p>I&#x27;m guilty myself, I contribute to projects on GitHub more often than on any other platform.<p>And when I search for open source projects the first page I use is GitHub.

If you are confused (like me) that this was about PyPI (Python packages repository) then no. It is about a project called PyPy (one can argue it is bad name) that is an implementation of python interpreter but without cpython. Instead they rely on a JIT compiler. And it is syntax compatible but if your code uses any library or method relying on C extensions then you are out of luck (Goodbye NumPy.. etc).<p>Edit: They have C-layer emulation, but I don&#x27;t know its limitations or current status, but you can use those libraries [1][2]<p>[1] <a href="https:&#x2F;&#x2F;www.pypy.org&#x2F;posts&#x2F;2018&#x2F;09&#x2F;inside-cpyext-why-emulating-cpython-c-8083064623681286567.html" rel="nofollow">https:&#x2F;&#x2F;www.pypy.org&#x2F;posts&#x2F;2018&#x2F;09&#x2F;inside-cpyext-why-emulati...</a><p>[2] <a href="https:&#x2F;&#x2F;pythoncapi.readthedocs.io&#x2F;cpyext.html" rel="nofollow">https:&#x2F;&#x2F;pythoncapi.readthedocs.io&#x2F;cpyext.html</a>

I&#x27;ve been using git happily for many years. Strangely enough the provenance of a commit i.e. which branch did a commit originally come has not really mattered to me very much. Mercurial provides this and they are using `git notes` to add this provenance meta-data to each commit during migration to git.<p>I would have thought I&#x27;d need this much more, but I have not. In plain git I&#x27;ll just `git log` and grep for the commit in case I want to make sure a commit is available in a certain branch.

But 33% of PyPy packages contain the potential for extreme security flaws and you don&#x27;t know which ones until it gets you. How bad do you have to want to use Python to tolerate that?<p>&quot;“When we actually examined the behavior and looked for new attack vectors, we discovered that if you download a malicious package — just download it — it will automatically run on your computer,” he told SC Media in an interview from Israel. “So we tried to understand why, because for us the word download doesn’t necessarily mean that the code will automatically run.”<p>But for PyPi, it does. The commands required for both processes run a script, called pip, executes another file called setup.py, that is designed to provide a data structure for the package manager to understand how to handle the package. That script and process is also composed of Python code that runs automatically, meaning an attacker can insert and execute that malicious code on the device of anyone who downloads it.&quot; <a href="https:&#x2F;&#x2F;www.scmagazine.com&#x2F;analysis&#x2F;a-third-of-pypi-software-packages-contains-flaw-to-execute-code-when-downloaded" rel="nofollow">https:&#x2F;&#x2F;www.scmagazine.com&#x2F;analysis&#x2F;a-third-of-pypi-software...</a>

Why do people like Mercurial branches? Was it revamped? I hate it when I used it.<p>By all means, I prefer Git branches.

Speaking of git, for mega monorepro performance, we&#x27;re gonna need synthetic FSes and SCM-integrated synthetic checkouts. Sapling (was hg in the past but was forked and reworked extensively) will be able to do this if EdenFS will ever be released, but Git will need something similar. This will require a system agent running with a caching overlay fs that can grab and cache bits on-the-fly. Yes, it&#x27;s slightly slower than having contents already, but there is no way to checkout a 600+ GiB repo on a laptop with a 512 GiB SSD.

Every provider out there can talk a standard Git protocol, but all the features that don&#x27;t have a standard Git protocol become a proprietary API. I think if Git (or a project like it) made a standard protocol&#x2F;data format for all the features of a SCM, then all those providers could adopt it, and we could start moving away from GitHub as the center of the known universe. If we don&#x27;t make a universal standard (and implementation) then it&#x27;ll remain the way it is today.

&gt; the script properly retained the issue numbers<p>Oh that&#x27;s quite helpful. I was worried about how lossy the migration would be.

They are right. Mercurial is better than git for 99% of usecases. But we lost this one.

Git should be a pretty easy-to-federate system, at least in terms of mimicking pull requests. Is there anything that tries to do so? Gitea?

I used to use Mercurial as well and greatly preferred it, but for better or worse, Git won. I started using Git several years ago and haven&#x27;t looked back.<p>No matter what people might say, I think this stuff matters for contributors and users who might be looking at your project, and git&#x2F;github is the typical expectation. This is likely the right decision, as they are now ubiquitous.

But what about compatibility, is it fully compatible with Git?? How will the contribution work flow change?

This is a tragic, wrongheaded move, and I say that as a big Git enthusiast (but a Github hater, to be fair...)<p>I don&#x27;t think PyPy gains anything from this, not even a reduction in the annoying messages that have been psychologically torturing the maintainers. If anything, you&#x27;re just opening yourself up to more common and frequent low-investment pestering.

Better late than never. Here&#x27;s hoping that means things like `pip publish` are back on the table, too.

&gt; foss.heptapod.net is not well indexed in google&#x2F;bing&#x2F;duckduckgo search, so people find it harder to search for issues in the project.<p>SEO : WWW structure :: gravity : orbital mechanics