Arun Isaac writes:
> When packaging python packages, why are we using the source tarballs
> hosted on PyPI, rather than using the source tarballs hosted on the
> websites of the individual projects?
> For example, for the package python-pycrypto, why are we using the
> tarball from PyPI
> instead of the tarball from the pycrypto project website
> https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz ?
The easy answer is probably "the importer tool we have makes it easy to
pull the version down from PyPI", so that's the way most of us package
I'd be for using actual upstream, or at least supplying both, so that
they're mirrors. One concern is, what about the tooling for telling us
when updates to packages are available?