On 03.09.2012 03:48, Gary Martin wrote: > There is another interesting alternative that I noted from a > conversation on [email protected]. It seems that there is at least > one podling (Apache Stanbol) that has a 'deps' source package that is > used alongside their main release. I am not sure whether we should be > looking to a similar approach as the reasoning behind it may not match > ours. There are, however, some nice features associated with this > approach. For instance, a deps package as a whole could (presumably > must) be signed. In contrast, it seems that code signing is usually > lacking on packages on pypi - I assume that we could not provide PGP > signatures on a package by package basis with an alternate package index.
Subversion had such a deps signed source package before it came to Apache; later we discontinued that because some optional dependencies do not have a compatible license, so instead we ship a script that downloads the dependencies. License issues may prevent Bloodhound from releasing such a source package, but you'd know more about the details of that. -- Brane -- Certified & Supported Apache Subversion Downloads: http://www.wandisco.com/subversion/download
