* Source tarballs from PyPI versus tarballs from the individual project websites
@ 2016-10-12 6:16 Arun Isaac
2016-10-12 7:49 ` Alex Kost
2016-10-12 11:57 ` Christopher Allan Webber
0 siblings, 2 replies; 7+ messages in thread
From: Arun Isaac @ 2016-10-12 6:16 UTC (permalink / raw)
To: guix-devel@gnu.org
[-- Attachment #1: Type: text/plain, Size: 836 bytes --]
When packaging python packages, why are we using the source tarballs
hosted on PyPI, rather than using the source tarballs hosted on the
websites of the individual projects?
For example, for the package python-pycrypto, why are we using the
tarball from PyPI
https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz
instead of the tarball from the pycrypto project website
https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz ?
Using the PyPI tarball seems to make Guix dependent on another package
repository -- namely, PyPI. That seems to me a bad thing.
I have packaged a few python packages using the tarballs from their
respective project websites. Should I change them to use the PyPI
tarballs before contributing the package definitions to Guix? Which
tarball should I prefer?
Regards,
Arun
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 472 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Source tarballs from PyPI versus tarballs from the individual project websites
2016-10-12 6:16 Source tarballs from PyPI versus tarballs from the individual project websites Arun Isaac
@ 2016-10-12 7:49 ` Alex Kost
2016-10-12 11:57 ` Christopher Allan Webber
1 sibling, 0 replies; 7+ messages in thread
From: Alex Kost @ 2016-10-12 7:49 UTC (permalink / raw)
To: Arun Isaac; +Cc: guix-devel@gnu.org
Arun Isaac (2016-10-12 11:46 +0530) wrote:
> When packaging python packages, why are we using the source tarballs
> hosted on PyPI, rather than using the source tarballs hosted on the
> websites of the individual projects?
>
> For example, for the package python-pycrypto, why are we using the
> tarball from PyPI
> https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz
> instead of the tarball from the pycrypto project website
> https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz ?
>
> Using the PyPI tarball seems to make Guix dependent on another package
> repository -- namely, PyPI. That seems to me a bad thing.
>
> I have packaged a few python packages using the tarballs from their
> respective project websites. Should I change them to use the PyPI
> tarballs before contributing the package definitions to Guix? Which
> tarball should I prefer?
As for me, I always prefer tarballs directly from the upstream. So I
wouldn't change those packages to use PyPi sources.
--
Alex
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Source tarballs from PyPI versus tarballs from the individual project websites
2016-10-12 6:16 Source tarballs from PyPI versus tarballs from the individual project websites Arun Isaac
2016-10-12 7:49 ` Alex Kost
@ 2016-10-12 11:57 ` Christopher Allan Webber
2016-10-12 12:44 ` Ludovic Courtès
2016-10-12 14:13 ` Leo Famulari
1 sibling, 2 replies; 7+ messages in thread
From: Christopher Allan Webber @ 2016-10-12 11:57 UTC (permalink / raw)
To: Arun Isaac; +Cc: guix-devel@gnu.org
Arun Isaac writes:
> When packaging python packages, why are we using the source tarballs
> hosted on PyPI, rather than using the source tarballs hosted on the
> websites of the individual projects?
>
> For example, for the package python-pycrypto, why are we using the
> tarball from PyPI
> https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz
> instead of the tarball from the pycrypto project website
> https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz ?
The easy answer is probably "the importer tool we have makes it easy to
pull the version down from PyPI", so that's the way most of us package
it.
I'd be for using actual upstream, or at least supplying both, so that
they're mirrors. One concern is, what about the tooling for telling us
when updates to packages are available?
- Chris
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Source tarballs from PyPI versus tarballs from the individual project websites
2016-10-12 11:57 ` Christopher Allan Webber
@ 2016-10-12 12:44 ` Ludovic Courtès
2016-10-12 14:52 ` Arun Isaac
2016-10-12 14:13 ` Leo Famulari
1 sibling, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2016-10-12 12:44 UTC (permalink / raw)
To: Christopher Allan Webber; +Cc: guix-devel@gnu.org
Christopher Allan Webber <cwebber@dustycloud.org> skribis:
> I'd be for using actual upstream, or at least supplying both, so that
> they're mirrors. One concern is, what about the tooling for telling us
> when updates to packages are available?
‘guix refresh’ works for PyPI but not for arbitrary sites.
That would be in favor of using PyPI as the source, but I don’t know
what else is at stake.
Ludo’.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Source tarballs from PyPI versus tarballs from the individual project websites
2016-10-12 12:44 ` Ludovic Courtès
@ 2016-10-12 14:52 ` Arun Isaac
2016-10-12 20:15 ` Ludovic Courtès
0 siblings, 1 reply; 7+ messages in thread
From: Arun Isaac @ 2016-10-12 14:52 UTC (permalink / raw)
To: guix-devel@gnu.org
[-- Attachment #1: Type: text/plain, Size: 351 bytes --]
>> One concern is, what about the tooling for telling us when updates to
>> packages are available?
>
> ‘guix refresh’ works for PyPI but not for arbitrary sites.
Why not let 'guix refresh' use PyPI to detect package updates, and then
let somebody manually find the equivalent upstream tarball URI and put
it in the package definition?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 472 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Source tarballs from PyPI versus tarballs from the individual project websites
2016-10-12 14:52 ` Arun Isaac
@ 2016-10-12 20:15 ` Ludovic Courtès
0 siblings, 0 replies; 7+ messages in thread
From: Ludovic Courtès @ 2016-10-12 20:15 UTC (permalink / raw)
To: Arun Isaac; +Cc: guix-devel@gnu.org
Arun Isaac <arunisaac@systemreboot.net> skribis:
>>> One concern is, what about the tooling for telling us when updates to
>>> packages are available?
>>
>> ‘guix refresh’ works for PyPI but not for arbitrary sites.
>
> Why not let 'guix refresh' use PyPI to detect package updates, and then
> let somebody manually find the equivalent upstream tarball URI and put
> it in the package definition?
The problem is that the PyPI “updater” that ‘guix refresh’ uses needs to
be able to determine that a package is a “PyPI package”, which is what
the ‘pypi-package?’ predicate in (guix import pypi) does. If a package
uses a URL other than pypi.python.org, that predicate returns false.
Ludo’.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Source tarballs from PyPI versus tarballs from the individual project websites
2016-10-12 11:57 ` Christopher Allan Webber
2016-10-12 12:44 ` Ludovic Courtès
@ 2016-10-12 14:13 ` Leo Famulari
1 sibling, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2016-10-12 14:13 UTC (permalink / raw)
To: Christopher Allan Webber; +Cc: guix-devel@gnu.org
On Wed, Oct 12, 2016 at 06:57:28AM -0500, Christopher Allan Webber wrote:
> I'd be for using actual upstream, or at least supplying both, so that
> they're mirrors. One concern is, what about the tooling for telling us
> when updates to packages are available?
I've noticed that the PyPi tarballs and the "upstream site" tarballs are
usually not the same thing. So, you could ask upstream what the prefer
packagers use and pick that one.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-10-12 20:16 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-12 6:16 Source tarballs from PyPI versus tarballs from the individual project websites Arun Isaac
2016-10-12 7:49 ` Alex Kost
2016-10-12 11:57 ` Christopher Allan Webber
2016-10-12 12:44 ` Ludovic Courtès
2016-10-12 14:52 ` Arun Isaac
2016-10-12 20:15 ` Ludovic Courtès
2016-10-12 14:13 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).