Nick Coghlan <ncogh...@gmail.com> writes: > That said, for Fedora RPMs, we don't need sdist per se - we only need > ready access to the "original sources".
There's a temporal element to that, too. While “ready access” to the source might be clear enough at the moment of the wheel's release, it is less clear in ten years time when the original source for a package still in Fedora is needed again. In practice, a URL to (what one hopes is) the source is not enough to provude assurance the source will be available long in the future. Only a known tarball (or equivalent fixed single-file archive form) of the actual source is going to provide that. > It's just that wheels don't count, since they're a nominally binary > format, and "C ABI = None, Platform = None" in the filename isn't > currently an entirely reliable indicator of a pure Python wheel file. One needn't say that wheel is “nominally” anything; it is sufficient to ask “is this what a recipient would need to have the source in a form suitable for further modification and redistribution?” A wheel distribution is fairly clearly *not* the preferred form of the work for a recipient to have to exercise freedom to modify and redistribute. The wheel distgribution was generated from source files edited by the developer, and so *those* file are the source form of the work, the wheel distribution is not. > A HTTPS source control URL together with a commit hash *can* count, > though, even in the absence of a source archive uploaded to PyPI, as > the VCS information is enough for us to retrieve the original sources > and put them in the SRPM. As I point out above, that's only reliably true if it is immediately turned into a more reliably-archived form than a URL to some hosting provider somewhere. So, in practice, the URL is not enough to provide good assurance one has the source form of the work for redistribution. > (I'm not as familiar with Debian's policies as I am with those for > Fedora et al, but as far as I am aware, they want a reference to the > original sources for similar reasons of build reproducibility, license > compliance, and code auditability). Not merely a reference, but (as explained above) The actual source form of the work, persistent over long periods of time as the known corresponding source form of that version of the work. > Right, any recommended solution needs to provide access to the > original sources *in addition to* any already built wheel files. Yes, thanks. -- \ “Try adding “as long as you don't breach the terms of service – | `\ according to our sole judgement” to the end of any cloud | _o__) computing pitch.” —Simon Phipps, 2010-12-11 | Ben Finney _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig