[Cython] Differing Cython-0.14.1.tar.gz files

[Robert Bradshaw]

On Sun, Mar 6, 2011 at 10:54 PM, Stefan Behnel <stefan_ml at behnel.de> wrote:
> Ryan Schmidt, 06.03.2011 23:12:
>>
>> There are two different files called Cython-0.14.1.tar.gz -- one in
>> http://www.cython.org/release/ and a different one in
>>  http://pypi.python.org/packages/source/C/Cython/:
>
> Intersting. Do you mean "different" as in "different content" (i.e. sources
> etc.), or just as in "md5sum gives different hashes"?
>
>
>> Why don't you release a version of your software as a single distfile
>> that is identical on all servers?
>
> Well, I don't think there is a reason for that, simply because I doubt that
> it's being done intentionally. I guess it just lacks a process.

I just downloaded both tarballs and it looks like there were a small
number of commits in the cython.org one that weren't on PyPi. I
thought I had uploaded and then done sdist, but maybe I messed
something up with branches while doing some last tests. My bad, I've
copied the PyPi ones to cython.org. Thanks for bringing this to our
attention, we'll be more careful about this in the future.

> In any case, I doubt that there are any differences between the tar.gz
> files, except for file modification times and potentially the creation time
> of the C sources. The build process is deterministic.

This is what usually happens, though we should re-download to get
exactly the same file.

> IMHO, the best way to make the releases would be to run
>
>    setup.py sdist register upload
>
> to push them to PyPI, and then take the same tar.gz and copy it over to
> cython.org. In any case, the one on PyPI should always take the lead, as
> that's what people get when they run easy_install.

+1.

> I also think we should start signing the released archives. This can be done
> via distutils' "upload" command by passing
>
>    upload --sign --identity=[e-mail-address-of-key]

Good idea.

- Robert