Hi, it is advised to distribute unmodified upstream tarball at much as possible, so that the end-user should be able to check that the tarball shipped by Sage has the same hash that upstreams. However, when size can be reduced by a huge factor, integrity arguments become pretty weak and we randomly upload hand-modified tarballs on tickets without a clear checking process during the review process.
In some cases, one possibility is to discuss with upstream to ship both full and trimmed sources (which will benefit to other downstream, e.g. for mathjax that can be considerably reduced while keeping all features). Another mid-term compromise could be to strip some few upstream source, but in a checkable and reproducible manner, that is, with a spkg-src script that will produce deterministic tarballs, so that anyone (in particular the reviewer) can re-run the script and check the hashsums. By default, tarballs are quite volatile because of timestamps and ownership, also the file ordering seems to depend on the computer, the posix format is nondeterministic, and i may have missed some other subtleties. In order to try such possibility on the next matplotlib update, could some people (especially someone using OSX) give me (with minimal info on their OS, arch, and tar --version) the result of: wget https://downloads.sourceforge.net/project/matplotlib/matplotlib/matplotlib-1.4.2/matplotlib-1.4.2.tar.gz tar xf matplotlib-1.4.2.tar.gz rm -rf matplotlib-1.4.2/lib/matplotlib/tests/baseline_images/* find matplotlib-1.4.2 | sort | tar --no-recursion -cj --format=gnu --mtime='1970-01-01 01:00' --group=0 --owner=0 -f matplotlib-1.4.2.tar.bz2 -T - shasum matplotlib-1.4.2.tar.bz2 Thanks, Thierry -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at http://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
