On Jun 05, 2013, at 02:47 PM, Donald Stufft wrote: >I'm really just trying to get a sense of your workflow to see if I can make >any changes to improve the process for it. > >One of the big problems with download_url is that the data in setup.py is >used in (and influences the content of) the final dist file. This means that >inside of a setup.py you won't know what the hash of the final file is. So >it's difficult for a setup.py based workflow with external urls to provide >md5 sums for the files which means that pip and friends can't verify that no >body modified the download in transit.
Let me explain what I (used to) do, and I'll let you decide whether anything needs to change. ;) When I've finally got my vcs into a releasable state, I'll generally do: $ python setup.py sdist upload -s As you know, this will create the tarball and signature file in dist, and upload everything nicely to the Cheeseshop. At this point, I go to my project's Launchpad page and push the big "I made a release" button. This fiddles some state on my project page, and it allows me to upload files attached to that particular release. The nice thing is that I can just upload the dist/*.tar.gz and dist/*.asc to add the tarball and signature to the Launchpad download page. E.g. https://launchpad.net/flufl.enum and https://launchpad.net/flufl.enum/+download The url is predictable (which is good because it also has to play nicely with Debian watch files), with option #3, I just added the index page to download_url and let clients scrape it. You'll see that it contains links to the md5 checksum and the locally generated signature. There must be some value to also allowing folks to download from Launchpad, as shown by the 1055 downloads of flufl.enum. Where are the PyPI download stats? -Barry
signature.asc
Description: PGP signature
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig