From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christopher Allan Webber Subject: Re: Source tarballs from PyPI versus tarballs from the individual project websites Date: Wed, 12 Oct 2016 06:57:28 -0500 Message-ID: <87a8e9dbkn.fsf@dustycloud.org> References: Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48771) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buIAL-0008Ji-Ll for guix-devel@gnu.org; Wed, 12 Oct 2016 07:57:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1buIAJ-0000k1-Es for guix-devel@gnu.org; Wed, 12 Oct 2016 07:57:44 -0400 Received: from dustycloud.org ([2600:3c02::f03c:91ff:feae:cb51]:58848) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buIAJ-0000hx-Af for guix-devel@gnu.org; Wed, 12 Oct 2016 07:57:43 -0400 In-reply-to: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Arun Isaac Cc: "guix-devel@gnu.org" Arun Isaac writes: > When packaging python packages, why are we using the source tarballs > hosted on PyPI, rather than using the source tarballs hosted on the > websites of the individual projects? > > For example, for the package python-pycrypto, why are we using the > tarball from PyPI > https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz > instead of the tarball from the pycrypto project website > https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz ? The easy answer is probably "the importer tool we have makes it easy to pull the version down from PyPI", so that's the way most of us package it. I'd be for using actual upstream, or at least supplying both, so that they're mirrors. One concern is, what about the tooling for telling us when updates to packages are available? - Chris