On Wed, Jun 5, 2013 at 2:47 PM, Donald Stufft <donald@stufft.io> wrote:
One of the big problems with download_url is that the data in setup.py is
used in (and influences the content of) the final dist file. This means that
inside of a setup.py you won't know what the hash of the final file is. So
it's difficult for a setup.py based workflow with external urls to provide
md5 sums for the files which means that pip and friends can't verify that no
body modified the download in transit.
Not if it's done in a setup.py command that runs after the
distributions are built, akin to the way the upload command works now.
If there were, say, an "uplink" command based on a modified version
of upload, it could call the PyPI API to pass along hashed URLs.
At some point I intend to write such a command so that my current
snapshot scripts (which run on the server the downloads are hosted
from) can update PyPI with properly hashed URLs. (But I'm not sure
when "some point" will be, exactly, so if someone else writes it first
I'll be a happy camper.)
With static metadata ideally PyPI will be reading metadata from inside of the uploaded file and all that will be required is for publishing tools to push the file up.
However something like your uplink command would (assuming I understand it correctly) work fine because those "additional urls to list on the /simple/ page" are not part of the package metadata.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA