[Distutils] option #1 plus download_url scraping

Thu Jun 6 00:08:46 CEST 2013

On 6 Jun 2013 04:49, "Donald Stufft" <donald at stufft.io> wrote:
>
>
> On Jun 5, 2013, at 1:49 PM, Barry Warsaw <barry at python.org> wrote:
>
>> On Jun 05, 2013, at 12:16 PM, Donald Stufft wrote:
>>
>>> Where are you updating the version information at? And how are you
generating
>>> a tarball so that it's name has the correct version in it?
>>
>>
>> It depends on the package, but let's say it's in a version.txt file.
 Your
>> implication is correct though - if setup.py is parsing that file to
calculate
>> the version key, it can also do the same and calculate the download_url
value.
>>
>> -Barry
>
>
> I'm really just trying to get a sense of your workflow to see if I can
make any changes to improve the process for it.
>
> One of the big problems with download_url is that the data in setup.py is
used in (and influences the content of) the final dist file. This means
that inside of a setup.py you won't know what the hash of the final file
is. So it's difficult for a setup.py based workflow with external urls to
provide md5 sums for the files which means that pip and friends can't
verify that no body modified the download in transit.

Hmm, I should mention this problem in PEP 426, and explicitly limit
source_url to tarballs and VCS references. This self-referencing problem
means it can't easily refer to a built sdist anyway, and the original
source is preferred for distro packaging purposes.

Cheers,
Nick.

>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
DCFA
>
>
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130606/b92f162c/attachment-0001.html>