From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49402) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dF7CH-0007ZE-L5 for guix-patches@gnu.org; Sun, 28 May 2017 19:02:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dF7CE-0000S9-HK for guix-patches@gnu.org; Sun, 28 May 2017 19:02:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:39575) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dF7CE-0000S5-98 for guix-patches@gnu.org; Sun, 28 May 2017 19:02:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dF7CE-0006OR-1D for guix-patches@gnu.org; Sun, 28 May 2017 19:02:02 -0400 Subject: bug#27110: [PATCH] gnu: asciinema: Update to 1.4.0. Resent-Message-ID: From: Marius Bakke In-Reply-To: <20170528223323.GA15181@jasmine> References: <1495934193.2882278.990671576.787F34D9@webmail.messagingengine.com> <1519f8c5.AEUAKk_HotIAAAAAAAAAAAPFk78AAAACwQwAAAAAAAW9WABZKwI9@mailjet.com> <20170528183753.GB15883@jasmine> <2dff1be8.ADsAAhu0Cj4AAAAAAAAAAAO8ccgAAAACwQwAAAAAAAW9WABZK0zP@mailjet.com> <20170528223323.GA15181@jasmine> Date: Mon, 29 May 2017 01:01:26 +0200 Message-ID: <877f10fuwp.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Leo Famulari , Arun Isaac Cc: 27110@debbugs.gnu.org, Alex Griffin --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Mon, May 29, 2017 at 03:48:36AM +0530, Arun Isaac wrote: >>=20 >> >> Could you switch to upstream's github release tarball instead? >> >> https://github.com/asciinema/asciinema/archive/v1.4.0.tar.gz >> >> >> >> LGTM, otherwise! >> > >> > Is there a reason to prefer one over the other? >> > >> > I ask because, typically, these unammed GitHub tarballs are not actual >> > releases prepared by the maintainers, but just a snapshot of the Git >> > repo, created automatically by GitHub for each tag. PyPi tends to >> > contain the "real" release in cases like this. >>=20 >> I thought it is better to depend directly on the upstream source >> (github, in this case) than on an intermediary (pypi) who has also >> packaged the software. If we use pypi, Guix becomes some kind of second >> order package repository that depends on pypi, the primary package >> repository. WDYT? > > My understanding is that project maintainers upload their releases to > PyPi, not that PyPi packages the release for them. Is that incorrect? This is true. The PyPi releases are often different from the raw sources, look for the magic lines "packages" and "package_data" in setup.py[0] to see what is included/excluded in the PyPi archive. Unfortunately some packages also exlude tests, in which case it's okay to use the upstream repository. Some projects provide PGP signatures on PyPi as well, which is great. Take matplotlib for example: https://pypi.python.org/pypi/matplotlib (PGP signed tarball, 52MiB) https://github.com/matplotlib/matplotlib/releases (no signature, 51MiB) [0] https://packaging.python.org/distributing/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlkrVsYACgkQoqBt8qM6 VPqBiAf/SXr4hRMXDYgQ5rlDTog6Uu8NNg1FbWPUhfARkHv764K4u097DK+FVhvF 1F5ODsjARLcVtpqen43jSL5CSN16KKxIdPP9PVD5MDDpIbstOCwCFko+NVRlQ9vA MGcMrwg6bhkeqMUzxpNHRQROhq8NKQGsItA+xwWiHu6ySdIEvji/R8NyV6ym2BqS LEMIwFGsqGKv7Ef7jUbcgU/bff1MElw3U3nSJC9Y39Agx3GfafQb47LYHgbOiJn8 VVGnWRBTFI3BZshQZqrdYmygu7GaIKdWg7n95C3UtNaFjZIeoE6+PY+Z11pRKTS4 VxVJiALKdxMSeSgeEqpFKqRWD9Xasw== =qkpX -----END PGP SIGNATURE----- --=-=-=--