[Distutils] Time for a setuptools_lite??

Ben Finney ben+python at benfinney.id.au
Thu Oct 29 00:12:49 EDT 2015 

Nick Coghlan <ncoghlan at gmail.com> writes:

> That said, for Fedora RPMs, we don't need sdist per se - we only need
> ready access to the "original sources".


There's a temporal element to that, too. While “ready access” to the
source might be clear enough at the moment of the wheel's release, it is
less clear in ten years time when the original source for a package
still in Fedora is needed again.

In practice, a URL to (what one hopes is) the source is not enough to
provude assurance the source will be available long in the future. Only
a known tarball (or equivalent fixed single-file archive form) of the
actual source is going to provide that.

> It's just that wheels don't count, since they're a nominally binary
> format, and "C ABI = None, Platform = None" in the filename isn't
> currently an entirely reliable indicator of a pure Python wheel file.

One needn't say that wheel is “nominally” anything; it is sufficient to
ask “is this what a recipient would need to have the source in a form
suitable for further modification and redistribution?”

A wheel distribution is fairly clearly *not* the preferred form of the
work for a recipient to have to exercise freedom to modify and
redistribute. The wheel distgribution was generated from source files
edited by the developer, and so *those* file are the source form of the
work, the wheel distribution is not.

> A HTTPS source control URL together with a commit hash *can* count,
> though, even in the absence of a source archive uploaded to PyPI, as
> the VCS information is enough for us to retrieve the original sources
> and put them in the SRPM.

As I point out above, that's only reliably true if it is immediately
turned into a more reliably-archived form than a URL to some hosting
provider somewhere. So, in practice, the URL is not enough to provide
good assurance one has the source form of the work for redistribution.

> (I'm not as familiar with Debian's policies as I am with those for
> Fedora et al, but as far as I am aware, they want a reference to the
> original sources for similar reasons of build reproducibility, license
> compliance, and code auditability).

Not merely a reference, but (as explained above) The actual source form
of the work, persistent over long periods of time as the known
corresponding source form of that version of the work.

> Right, any recommended solution needs to provide access to the
> original sources *in addition to* any already built wheel files.

Yes, thanks.

-- 
 \     “Try adding “as long as you don't breach the terms of service – |
  `\          according to our sole judgement” to the end of any cloud |
_o__)                      computing pitch.” —Simon Phipps, 2010-12-11 |
Ben Finney

More information about the Distutils-SIG mailing list