On 09/03/2012 09:46 AM, Branko Čibej wrote:
On 03.09.2012 03:48, Gary Martin wrote:
There is another interesting alternative that I noted from a
conversation on [email protected]. It seems that there is at least
one podling (Apache Stanbol) that has a 'deps' source package that is
used alongside their main release. I am not sure whether we should be
looking to a similar approach as the reasoning behind it may not match
ours. There are, however, some nice features associated with this
approach. For instance, a deps package as a whole could (presumably
must) be signed. In contrast, it seems that code signing is usually
lacking on packages on pypi - I assume that we could not provide PGP
signatures on a package by package basis with an alternate package index.
Subversion had such a deps signed source package before it came to
Apache; later we discontinued that because some optional dependencies do
not have a compatible license, so instead we ship a script that
downloads the dependencies.
License issues may prevent Bloodhound from releasing such a source
package, but you'd know more about the details of that.
-- Brane
I believe that none of these packages have any licensing issues for us.
That may not be enough justification for implementing such a scheme
though. The availability of the deps source tarball pretty much
guaranteed when the main source tarball is available is quite
attractive, along with any advantage from the deps package being signed
as a whole.
Cheers,
Gary
