[Cython] Differing Cython-0.14.1.tar.gz files

Stefan Behnel stefan_ml at behnel.de
Mon Mar 7 07:54:01 CET 2011

Ryan Schmidt, 06.03.2011 23:12:
> There are two different files called Cython-0.14.1.tar.gz -- one in http://www.cython.org/release/ and a different one in  http://pypi.python.org/packages/source/C/Cython/:

Intersting. Do you mean "different" as in "different content" (i.e. sources 
etc.), or just as in "md5sum gives different hashes"?

> Why don't you release a version of your software as a single distfile
> that is identical on all servers?

Well, I don't think there is a reason for that, simply because I doubt that 
it's being done intentionally. I guess it just lacks a process.

In any case, I doubt that there are any differences between the tar.gz 
files, except for file modification times and potentially the creation time 
of the C sources. The build process is deterministic.

IMHO, the best way to make the releases would be to run

     setup.py sdist register upload

to push them to PyPI, and then take the same tar.gz and copy it over to 
cython.org. In any case, the one on PyPI should always take the lead, as 
that's what people get when they run easy_install.

I also think we should start signing the released archives. This can be 
done via distutils' "upload" command by passing

     upload --sign --identity=[e-mail-address-of-key]


More information about the cython-devel mailing list