Re: DPT repositories checks/"violations" report
On Sat, 27 Nov 2021 at 09:38:41 +0000, Scott Kitterman wrote:
> I don't think the pypi tarball "issue" should be presumed to be a
> problem at all. I wasn't paying attention to Debian when that discussion
> happened, but in my experience there was a lot wrong with the idea.
> A properly constructed sdist is exactly what we want to build a package
> from. That's almost never found on GitHub.
I think the closest we got to a conclusion was "it depends": if your
upstream reliably produces a properly constructed sdist (or at least is
happy to accept pull requests to make their sdist properly constructed)
then it makes an ideal source package, but if your upstream treats sdists
in closer to the same way a C programmer would treat a prebuilt binary
release (omitting source and including content generated from that source
instead), then a git clone is probably more appropriate.
To me, at least, it makes sense for this to be a case-by-case decision
made by someone who is familiar with this specific upstream - and wanting
to have someone familiar with this specific upstream is why we have named
maintainers, rather than having everything collectively-maintained like
some distributions do.
(For what it's worth, the GNOME team uses a mixture of `meson dist` and
git clones, and that's with an upstream that is a single project that is
in principle meant to be team-maintained with a single cohesive policy -
so if we can't standardize on one source format being "always the right
one" for GNOME, I would be very surprised if the Python team was able to
standardize on one source format for a large number of separate upstreams
linked only by their implementation language.)
smcv
Reply to: