Update README.rst - Add monthly downloads badge

[ayushjain01]

Description of Change

Added a monthly downloads badge by pip Trends to the README.
View more at - https://piptrends.com/widgets/pyyaml

Assumptions

None

Checklist for All Submissions (none apply)

• I have added change info to CHANGES.rst
• If this is resolving an issue (needed so future developers can determine if change is still necessary and under what conditions) (can be provided via link to issue with these details):
  • Detailed description of issue
  • Alternative methods considered (if any)
  • How issue is being resolved
  • How issue can be reproduced
• If this is providing a new feature (can be provided via link to issue with these details):
  • Detailed description of new feature
  • Why needed
  • Alternatives methods considered (if any)

Checklist when updating botocore and/or aiohttp versions

• I have read and followed CONTRIBUTING.rst
• I have updated test_patches.py where/if appropriate (also check if no changes necessary)
• I have ensured that the awscli/boto3 versions match the updated botocore version

[thehesiod]

omg 317M/mo? holy cow

[thehesiod]

something tells me there be bugs, or someone hammering the downloads lol

[thehesiod]

I guess it's correct, at least matches

SELECT COUNT(*) AS num_downloads
FROM `bigquery-public-data.pypi.file_downloads`
WHERE file.project = 'aiobotocore'
  -- Only query the last 30 days of history
  AND DATE(timestamp)
    BETWEEN DATE_SUB(CURRENT_DATE(), INTERVAL 30 DAY)
    AND CURRENT_DATE()

[thehesiod]

error is unrelated, going to force merge

[thehesiod]

ty!

[thehesiod]

top 10 btw:

1 | boto3 | 1437346653 |  
2 | botocore | 653582073 |  
3 | urllib3 | 546673014 |  
4 | requests | 489360227 |  
5 | wheel | 482689138 |  
6 | certifi | 433404786 |  
7 | idna | 428778797 |  
8 | typing-extensions | 426101807 |  
9 | charset-normalizer | 421344603 |  
10 | pip | 390331460

[ayushjain01]

Thanks for merging the PR. Glad you liked it.

[jakob-keller]

something tells me there be bugs, or someone hammering the downloads lol

You might be onto something: rank 11 on that list is currently pypular which itself claims:

The purpose of this tool is to download python packages from PYPI multiple times, to inflate the download counter.

That severly undermines credibility of the download counts, IMO. Is that even allowed as per PyPI terms of use?

[thehesiod]

ya something seems fishy. why would someone want to do that for these modules

[mattip]

Note there is discussion of the need for such a badge on numpy/numpy#26500.

[jakob-keller]

Note there is discussion of the need for such a badge on numpy/numpy#26500.

I agree. Besides driving traffic to that third party site, it could also be considered a security issue, since it allows for uncontrolled loading of external content. I am in favour of removing the badge.

[thehesiod]

@jakob-keller hmm pypi.org also links to https://libraries.io/ which is also a commercial enterprise. I don't see the download stats on pypi.org, where is that available?

[jakob-keller]

@jakob-keller hmm pypi.org also links to https://libraries.io/ which is also a commercial enterprise. I don't see the download stats on pypi.org, where is that available?

Stats are not available directly from pypi.org: https://pypi.org/help/#statistics

My issue does not lie with libraries.io, but with piptrends.com, which appears to be less established and provided by an individual. The site features sub-par advertising, when I look at it.

[thehesiod]

@jakob-keller I've gone ahead and re-done the badges based on that numpy thread, lemme know what you think

[jakob-keller]

@jakob-keller I've gone ahead and re-done the badges based on that numpy thread, lemme know what you think

LGTM!

[ayushjain01]

Note there is discussion of the need for such a badge on numpy/numpy#26500.

I agree. Besides driving traffic to that third party site, it could also be considered a security issue, since it allows for uncontrolled loading of external content. I am in favour of removing the badge.

@jakob-keller - I believe the readme already has badges from external sites. I don't see any security issue associated with just one badge - that clearly just displays a more accurate download count.

@jakob-keller hmm pypi.org also links to https://libraries.io/ which is also a commercial enterprise. I don't see the download stats on pypi.org, where is that available?

Stats are not available directly from pypi.org: https://pypi.org/help/#statistics

My issue does not lie with libraries.io, but with piptrends.com, which appears to be less established and provided by an individual. The site features sub-par advertising, when I look at it.

We're a small team trying to contribute something to the community, We don't have any advertising and aren't planning to add anything in the future as well. It's less established since we're just getting started. Even librairies.io was less established in the beginning right?

There were concerns to the external link to piptrends.com, which is alright, you can remove the link if you don't want visitors to go check the package page on piptrends, which only has more information about the package and content to get started with - again contributed by people.

[jakob-keller]

@ayushjain01: Thank you for taking the time to explain your position.

• It would have helped to build trust, if you had disclosed your apparent affiliation with piptrends.com when you first created the PR. As far as I can tell, you still have not made that connection explicit. No offence, but the way this was handled feels dodgy to me.
• I am generally in favour of supporting new projects, companies and so forth, as long as they add value. The PyPI download stats are obviously manipulated and thus do the opposite IMHO. I would not have added any badge for that reason.
• I agree with you that any of the externally hosted badges might introduce risks. However, the existing badges mostly come from well established providers with lots of eyeballs on them: If they were to turn into an actual issue, someone somewhere would notice that very quickly and we would be likely notified and could take action. This is less likely with more obscure providers, which raises their risk IMO.
• I am slightly less concerned with the outgoing link of badges then with the potential for loading arbitrary content. I am no expert in this topic, but would generally recommend exercising restraint and be very selective to be on the safe side.
• My initial statement about advertising on piptrends.com was by mistake. I briefly looked at the site and assumed the bottom section with links to "top packages" or something were clickbait. On closer look it turned out to be part of the site.

In any case, good look with your project.

[ixmatus]

If y'all haven't already, I think you should revert the merge.

A colleague of this person tried to open this exact PR against a project I'm the maintainer for as well (ixmatus/inflector#16). This is a promotional campaign and they (or colleagues) appear to be doing it on reddit too, I think this is suspicious activity. They are creating an external dependency on a web property that (as far as I can tell) is not officially blessed by pypi.

Users can get package statistics from libraries.io which is linked to directly by pypi itself.

[emdneto]

@ixmatus, they already did the revert. Thanks for noticing that 🙏🏻