PyPI source or github source?

To: debian-python@lists.debian.org
Subject: PyPI source or github source?
From: Brian May <bam@debian.org>
Date: Sun, 12 Mar 2017 13:19:46 +1100
Message-id: <[🔎] 874lyzi6d9.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 85r323gw48.fsf@benfinney.id.au>
References: <[🔎] 85r323gw48.fsf@benfinney.id.au>

Ben Finney <bignose@debian.org> writes:

> Debian's UScan has the ability to find, download, and verify the GnuPG
> signature for a package source release. Lintian will remind the
> maintainer if a Debian source package is not taking advantage of this.

A related issue is:

Should we be using PyPI as our source of packages? Or github?

You mention a very good reason why PyPI should be the preferred form,
packages *can* be signed by the author.

However, often packages in PyPI are not the complete source package you
would get from github. They may be sufficient for installations, but
often not for Debian packaging - which really should have the complete
source package. e.g. they can be missing tests, license files,
documentation that doesn't get installed, etc.

Sure, you could argue that PyPI source packages should contain
everything the github package does. In fact there is a PyPI tool to help
get the MANIFEST.in correct for such purposes -
https://pypi.python.org/pypi/check-manifest; however a counter argument
could also be made that upstrems generally don't care about such issues
- probably won't notice any regressions - if it installs from PyPI that
is all that really matters - and the only way we can be sure we are
getting the complete source iis from github.

Unfortunately, github releases cannot (AFAIK) easily be signed, unless
you retrieve signed git tags directly from git (which is not supported
by uscan AFAIK). Would be good if gbp buildpackage supported signing git
tags, I don't think it does either.

I started off thinking github was the best source, then slowly swayed
towards PyPI, now I am thinking maybe github again.

Comments?

Some related issues:

* Do we consider signed git tags / commits secure, considering they are
  based on SHA1?

* Is there any point having signed PyPI releases when (very likely) the
  underlying upstream git repository has no signatures?

* Is there any point having signed PyPI releases when (very likely) the
  public key is stored in an insecure DPMT respository on
  git.debian.org?
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: PyPI source or github source?
  - From: Paul Wise <pabs@debian.org>
- Re: PyPI source or github source?
  - From: Barry Warsaw <barry@debian.org>
- Re: PyPI source or github source?
  - From: Ole Streicher <olebole@debian.org>

References:
- GnuPG signatures on PyPI: why so few?
  - From: Ben Finney <bignose@debian.org>

Prev by Date: GnuPG signatures on PyPI: why so few?
Next by Date: Re: GnuPG signatures on PyPI: why so few?
Previous by thread: GnuPG signatures on PyPI: why so few?
Next by thread: Re: PyPI source or github source?
Index(es):
- Date
- Thread