• [RFC] DPT Policy: Canonise recommendation against PyPi-provided upstrea

    From Nicholas D Steeves@21:1/5 to All on Fri Jun 25 22:50:01 2021
    Hi Team!

    I feel like there is probably consensus against the use of PyPi-provided upstream source tarballs in preference for what will usually be a GitHub release tarball, so I made an MR to this effect (moderate recommendation
    rather than a "must" directive):

    https://salsa.debian.org/python-team/tools/python-modules/-/merge_requests/16

    Comments, corrections, requests for additional information, and
    objections welcome :-) I'm also curious if there isn't consensus by
    this point and if it requires further discussion

    Cheers,
    Nicholas

    -----BEGIN PGP SIGNATURE-----

    iQJEBAEBCgAuFiEE4qYmHjkArtfNxmcIWogwR199EGEFAmDWP8IQHHN0ZW5AZGVi aWFuLm9yZwAKCRBaiDBHX30QYbPkD/9ZjjRIUkvJfDdGg1S8YFyl44IRgfj02J6z q8mYN/wrzCVWPqTDktbX2qfz1pPX620e7PxU6X/JOTbfHW5WlWdRq+fd55nD46aS EET5USQldd2aYZItbhsmLMIaZLJ0Axs1xRl/MLj/yZ4H3T71cPA+9ru4GGhCHEK/ A+LYsAtiQQhvBKtRnJAmruATNKmVRQy43L5sql8tSTQDR/puyzmRczphyf7qxa5N 6AnBngA7Te5O5+NdiprFMjl9GFixT3UrR5bmqwrlAH/9iVMR1JPDRv3l70KI1WpR Fq0ayUPMFyynHErttnWxwEGs+JnzvhGNcLWFGie14eXKH4QfotRkNqLxqeMTu+X8 x6O0BJHvgRA6MO1tdiyw3ddV+JOLbI2suEOXy8TtDx5O1TyWvgG5iOpdA6VBc3MG 9sQt47i21zXj4eD1mzGe0cdP0Ty0pxX93RoDuewbsmF3mqBrZnNNOi6hHyUg/I5e WPeaEjNvYJ/Ss/XY7onNaBXCzYOxiE1kwNWBs3EzCsAmCUKnrqovX8U5d1mtogrp Q3wPFYU6mPWaw9rNrR5XtpY3kwzsz65Z4QXu5KYufr65K5+Z7mrPlGhOnvmnGMlH VO8021dNoFwjSI3oZYTcHVVeLNFka+k12nase5YbzxzLTfnrJZwckWFn/SUMwdWq
    y4f/PrH1Sg==
    =kJPQ
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeremy Stanley@21:1/5 to Nicholas D Steeves on Fri Jun 25 23:20:02 2021
    On 2021-06-25 16:42:42 -0400 (-0400), Nicholas D Steeves wrote:
    I feel like there is probably consensus against the use of PyPi-provided upstream source tarballs in preference for what will usually be a GitHub release tarball, so I made an MR to this effect (moderate recommendation rather than a "must" directive):

    https://salsa.debian.org/python-team/tools/python-modules/-/merge_requests/16

    Comments, corrections, requests for additional information, and
    objections welcome :-) I'm also curious if there isn't consensus by
    this point and if it requires further discussion

    I work on a vast ecosystem of Python-based projects which consider
    the sdist tarballs they upload to PyPI to be their official release
    tarballs, because they encode information otherwise only available
    in revision control metadata (version information, change history,
    copyright holders). The proposal is somewhat akin to saying that a
    tarball created via `make dist` is unsuitable for packaging.

    "GitHub tarballs" (aside from striking me as a blatant endorsement
    of a wholly non-free software platform) lack this metadata, being
    only a copy of the file contents from source control while missing
    other relevant context Git would normally provide.
    --
    Jeremy Stanley

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmDWR9tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCk4RhAAnWem4Mu200vr/io+xQhssXOAsRT+Gg9OIbnkAr4MnwCdT+XjWK7dDdrl mfht9BHoxMQUDkYmvH9kkQozNRJtvhEL8gE8UsLgBMZ8cBuSmnyEbnPv89cYJeRR B/29sarUYIoKD6NDx/tIRQmHWOUDq+r7eVD33RWfvLwiw7qpGmAGWZI5Imv3/YXP DLFQtuDPkF/QGuUNmVr6JBVrOiYtXZVlbP0FV5ouFGgiV2T/6XvWWD+eC7cdOpTQ aqpBnArF/OqvWVQkEI8ls4afj06Zlet83SOeP8K7qOYNOdIkcB57HRZf+euRb/D2 A0nVc//o6hCnD6AZ9hNPjZsz08nvCgV4F3sr3GkNAcW9Q8VV3vYkDRKwOoJwQS8p TfxYCtUh2d19Ex07cDDCf2cH0ViApNZduNqJtkxCrh8+O1eTgTz3yH5/4VlUfalX 5104+pZeYwrFylKcdwZQKZOjO46jsWeBuDyNP5TRLtkQC1LsRmW3kdbIi0k+IHY8 iOXHUv++Tkmn7dySKtRBC9bDVOks8rNrYW6eKiNBc82RC5t5d8u3jaUU/0/CduiE +gKeXam9Q6GJyDF4JgvZeRSZKGyHwHnWGjyp4LODN7Vbs9BXdJAHc00VzPaeS0G2 z1FgW4mCTW/YHjUzSoegIJDm0c1m+OsqlYF+XVXaiQ18mDukXlM=
    =DOn1
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32
  • From Scott Talbert@21:1/5 to Jeremy Stanley on Fri Jun 25 23:40:01 2021
    On Fri, 25 Jun 2021, Jeremy Stanley wrote:

    I feel like there is probably consensus against the use of PyPi-provided
    upstream source tarballs in preference for what will usually be a GitHub
    release tarball, so I made an MR to this effect (moderate recommendation
    rather than a "must" directive):

    https://salsa.debian.org/python-team/tools/python-modules/-/merge_requests/16

    Comments, corrections, requests for additional information, and
    objections welcome :-) I'm also curious if there isn't consensus by
    this point and if it requires further discussion

    I work on a vast ecosystem of Python-based projects which consider
    the sdist tarballs they upload to PyPI to be their official release
    tarballs, because they encode information otherwise only available
    in revision control metadata (version information, change history,
    copyright holders). The proposal is somewhat akin to saying that a
    tarball created via `make dist` is unsuitable for packaging.

    "GitHub tarballs" (aside from striking me as a blatant endorsement
    of a wholly non-free software platform) lack this metadata, being
    only a copy of the file contents from source control while missing
    other relevant context Git would normally provide.

    I tend to agree about PyPI being the official releases for a lot of
    projects. "GitHub tarballs" also tend to include other undesirable stuff
    for distribution like upstream CI/CD configuration files, etc.

    Scott

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon McVittie@21:1/5 to Nicholas D Steeves on Sat Jun 26 00:10:01 2021
    On Fri, 25 Jun 2021 at 16:42:42 -0400, Nicholas D Steeves wrote:
    I feel like there is probably consensus against the use of PyPi-provided upstream source tarballs in preference for what will usually be a GitHub release tarball

    This is not really consistent with what devref says:

    The defining characteristic of a pristine source tarball is that the
    .orig.tar.{gz,bz2,xz} file is byte-for-byte identical to a tarball
    officially distributed by the upstream author

    https://www.debian.org/doc/manuals/developers-reference/best-pkging-practices.en.html#best-practices-for-orig-tar-gz-bz2-xz-files

    Sites like Github and Gitlab that generate tarballs from git contents
    don't (can't?) guarantee that the exported tarball will never change -
    I'm fairly sure `git archive` doesn't try to make that guarantee - so it
    seems hard to say that the official source code release artifact is always
    the one that appears as a side-effect of the upstream project's git hosting platform.

    That doesn't *necessarily* mean that the equivalent of a `git archive`
    is always the wrong thing (and indeed there are a lot of packages where
    it's the only reasonably easily-obtained thing that is suitable for our requirememnts), but I don't think it's as simple or clear-cut as you
    are implying.

    devref also says:

    A repackaged .orig.tar.{gz,bz2,xz} ... should, except where impossible
    for legal reasons, preserve the entire building and portablility
    infrastructure provided by the upstream author. For example, it is
    not a sufficient reason for omitting a file that it is used only
    when building on MS-DOS. Similarly, a Makefile provided by upstream
    should not be omitted even if the first thing your debian/rules does
    is to overwrite it by running a configure script.

    I think devref goes too far on this - for projects where the official
    upstream release artifact contains a significant amount of content we
    don't want (convenience copies, portability glue, generated files, etc.), checking the legal status of everything can end up being more work than
    the actual packaging, and that's work that isn't improving the quality of
    our operating system (which is, after all, the point).

    However, PyPI sdist archives are (at least in some cases) upstream's
    official source code release artifact, so I think a blanket recommendation
    that we ignore them probably goes too far in the other direction.

    I'd prefer to mention both options and have "use your best judgement,
    like you have to do for every other aspect of the packaging" as a recommendation :-)

    smcv

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Nicholas D Steeves@21:1/5 to Jeremy Stanley on Sat Jun 26 00:30:02 2021
    Hi Jeremy,

    Thank you for your comments, reply follows inline:

    Jeremy Stanley <fungi@yuggoth.org> writes:

    On 2021-06-25 16:42:42 -0400 (-0400), Nicholas D Steeves wrote:
    I feel like there is probably consensus against the use of PyPi-provided
    upstream source tarballs in preference for what will usually be a GitHub
    release tarball, so I made an MR to this effect (moderate recommendation
    rather than a "must" directive):

    https://salsa.debian.org/python-team/tools/python-modules/-/merge_requests/16

    Comments, corrections, requests for additional information, and
    objections welcome :-) I'm also curious if there isn't consensus by
    this point and if it requires further discussion

    I work on a vast ecosystem of Python-based projects which consider
    the sdist tarballs they upload to PyPI to be their official release
    tarballs, because they encode information otherwise only available
    in revision control metadata (version information, change history,
    copyright holders). The proposal is somewhat akin to saying that a
    tarball created via `make dist` is unsuitable for packaging.


    A recommendation is non-binding, and the intent of this proposal is to
    say that the most "sourceful" form of source is the *most* suitable for
    Debian packages. The inverse of this is that `make dist` is less
    suitable for Debian packages. Neither formulation of this premise
    applies to a scope outside of Debian. In other words, just because a particular form of source packaging and distribution is not considered
    ideal in Debian does not in any comment on its suitability for other
    purposes. Would you prefer to see a note like "PyPi is a good thing for
    the Python ecosystem, but sdists are not the preferred form of Debian
    source tarballs"?

    It's also worth mentioning that upstream's "official release" preference
    is not necessarily relevant to a Debian context. Take for example the
    case where upstream exclusively supports a Flatpak and/or Snap
    package...

    "GitHub tarballs" (aside from striking me as a blatant endorsement
    of a wholly non-free software platform) lack this metadata, being
    only a copy of the file contents from source control while missing
    other relevant context Git would normally provide.

    "GitHub [and Gitlab!] tarballs" are fairly well understood, and it takes
    fewer words to talk about them than to write about integrating a merging
    or rebasing tag-based workflow (possibly with excluded files with a
    merge driver) in a team that has standardised on git-buildpackage. I
    might have out-of-date info, btw. Would it still upset the DSA if DPT packages' watch files polled using the lightweight git driver? I also
    prefer to have upstream git history :-)

    Thinking about an ideal solution, and the interesting PBR case, I
    remember that gbp is supposed to be able to associate gbp tags with
    upstream commits (or possibly tags), so maybe it's also possible to do
    this:

    1. When gbp import-orig finds a new release
    2. Fetch upstream remote as well
    3. Run PBR against the upstream release tag
    4. Stage this[ese] file[s]
    5. Either append them to the upstream tarball before committing to the
    pristine-tar branch, or generate the upstream tarball from the
    upstream branch (intent being that the upstream branch's HEAD should
    be identical to the contents of that tarball)
    6. Gbp creates upstream/x.y tag
    7. Gbp merges to Debian packaging branch.

    Cheers,
    Nicholas

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQJEBAEBCgAuFiEE4qYmHjkArtfNxmcIWogwR199EGEFAmDWWL8QHHN0ZW5AZGVi aWFuLm9yZwAKCRBaiDBHX30QYcEsEADQbqGg3v9uEd2IEhW4hks/veDiXFuXf4mT g9hATM3Aq90Y7f65+Yxl7lAJVsi6AIt3nHgsxOe6tfIlrRpAk5M/+yhOtGK2TUmS 2phbfUk9QV3w6hpwX5ML/NA0wYUgh1nZD5ByJbNLnn4XOu6Yi+a8Ia+DTX19evz7 Jn/LGkrjjURPB4rTlWp9nHgENycSnpmknXEfjjUU/Sxgv98wTBeT2WzsJEp6Vtkp dkTirf02CMh9BwM7gGLZ+1t8XljKisnaBhlN2va86Qhg/POY5Q3Jf2xbGlC3lT0m VFBuMuE+dKyrcJXekndBoWLOAvITVkbG3xdVBvp/4x+h5svLuaHeVPTw8aySLLDs /wDOMuSB9XWM+GZZzpOO8QEjjr9eXP9elL2lZodnH2JHFuZlWx8UfkqGYfRIxTC2 Gi241k/OqsfCU+COx691Xww+2aeoBhcPXYl2PlSXBP4G1wypdHIFvODcUr/nuEFh 5VDyvAlTlFRbaPLdiTDpdPA0A5kB3S1tARpXBHwm5P4b4miFih60EyNQnwSpdv9Y 9xy5UBpWT0AkrrZ6l5pGXWpHqwtLHyX1Waa6jlXzXq66BgEh9ll+lIo3n4ceY8fW V70lRKldYVYq/qWj5SSWJdf2Ck7RtEI6CT8NtmE0azUalPedJyxdGDU57B1Zjare SPhjpVuR3A==o8bt
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Nicholas D Steeves@21:1/5 to Scott Talbert on Sat Jun 26 00:50:02 2021
    Hi Scott,

    Scott Talbert <swt@techie.net> writes:

    On Fri, 25 Jun 2021, Jeremy Stanley wrote:

    [snip]
    I tend to agree about PyPI being the official releases for a lot of projects. "GitHub tarballs" also tend to include other undesirable stuff for distribution like upstream CI/CD configuration files, etc.


    Would you please expand on "etc"? It seems like it would be reasonable
    to exclude CI/CD files via the watch file for the similar reasons to
    excluding an upstream-provided debian/ subdir.

    Thanks!
    Nicholas

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQJEBAEBCgAuFiEE4qYmHjkArtfNxmcIWogwR199EGEFAmDWWkQQHHN0ZW5AZGVi aWFuLm9yZwAKCRBaiDBHX30QYQbzEACPYsFQMT23C9fT3zDszsXvy1zayyiHs377 7EiHWY0Oeh1nm3XEQQo22IthlaYeTNlnr7vLo5dbxRrH/zIIzQmEuvT/Uugkp1m6 6a3dPKI0S6FXJ4oA/q6KZRWsgks/RNOCqLP/4P3ZNldVotxQk3EGrgks8jL1AFr2 tyPDz8uyVIFrkO39awaBP8SBrBh6AGJnivbrIrlrN1MNOJl0T4iAQ8ejpBP3xenI tWLJwJgx4zWaIbXSTRKCkPI1/L9ioO2ItqF6FKwudryeO5WevF+sDTFIFUrIh36n 7exzE14u+dizc4byuElBTogTIOcpleAvCPEosvkcppqtY5SIhW58htwuQ9JxkoDU XXqExieN/IFK8ZgJ0WZm1bgwp28iJy4LbnSZs/kZghRsJh0PK0ny+SLVRW+uSh7R o6tpieJ6c2woTyv+1C2mnUCxMeSLhCXUWbv6QTtEMZ5Ht7nYVTaJTvzPT0116HKH odm9O7yNR0s1JUj66ayUTE0f6Y1lKzBiMUiGZwWukahT6i/a2JAVKa1LPBLZKmZU m1FmGORVEHRwzjRbmLpOz9ecsq5D8Z9nv/ReNEVT4HIX3nsrM3OjWbon/HaXwrhK /D9VZkC0LZdu1PQdqJ/YiDhuAy4ROLGQRugx2fFL9NZc4Oszajbr3ygSkedDgVZ1 cuu81aAE/w==UkM1
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Nicholas D Steeves@21:1/5 to Simon McVittie on Sat Jun 26 01:10:01 2021
    Hi Simon,

    Simon McVittie <smcv@debian.org> writes:

    On Fri, 25 Jun 2021 at 16:42:42 -0400, Nicholas D Steeves wrote:
    I feel like there is probably consensus against the use of PyPi-provided
    upstream source tarballs in preference for what will usually be a GitHub
    release tarball

    This is not really consistent with what devref says:

    The defining characteristic of a pristine source tarball is that the
    .orig.tar.{gz,bz2,xz} file is byte-for-byte identical to a tarball
    officially distributed by the upstream author

    https://www.debian.org/doc/manuals/developers-reference/best-pkging-practices.en.html#best-practices-for-orig-tar-gz-bz2-xz-files

    Sites like Github and Gitlab that generate tarballs from git contents
    don't (can't?) guarantee that the exported tarball will never change -

    I agree 100%

    I'm fairly sure `git archive` doesn't try to make that guarantee - so it seems hard to say that the official source code release artifact is always the one that appears as a side-effect of the upstream project's git hosting platform.


    Also agreed 100%. This line of inquiry is actually why I think using
    upstream tags is best, but even then it's possible upstream will delete
    the tag and push a new one. Does PyPi provide immutable releases? If
    so, yes, I agree there's a strong argument to be made for using PyPi vis
    à vis DevRef within a DPT context where upstream git tags (and history)
    are not merged :-)

    That doesn't *necessarily* mean that the equivalent of a `git archive`
    is always the wrong thing (and indeed there are a lot of packages where
    it's the only reasonably easily-obtained thing that is suitable for our requirememnts), but I don't think it's as simple or clear-cut as you
    are implying.


    Also agreed 100%, but I've learned people often look at comprehensive
    proposals as tldr, so I wanted to try a discussion-based approach ;-)

    devref also says:

    A repackaged .orig.tar.{gz,bz2,xz} ... should, except where impossible
    for legal reasons, preserve the entire building and portablility
    infrastructure provided by the upstream author. For example, it is
    not a sufficient reason for omitting a file that it is used only
    when building on MS-DOS. Similarly, a Makefile provided by upstream
    should not be omitted even if the first thing your debian/rules does
    is to overwrite it by running a configure script.

    I think devref goes too far on this - for projects where the official upstream release artifact contains a significant amount of content we
    don't want (convenience copies, portability glue, generated files, etc.), checking the legal status of everything can end up being more work than
    the actual packaging, and that's work that isn't improving the quality of
    our operating system (which is, after all, the point).


    I agree, and will support a proposal to modify DefRef to this end,
    because as far as I know the source tarballs in our archive aren't part
    of a secondary project to archive upstream tarballs as-released (eg: a
    kind of "ark" or source-bank, like a seed-bank, for DFSG software)...but
    maybe that is a secondary objective?

    However, PyPI sdist archives are (at least in some cases) upstream's
    official source code release artifact, so I think a blanket recommendation that we ignore them probably goes too far in the other direction.

    I'd prefer to mention both options and have "use your best judgement,
    like you have to do for every other aspect of the packaging" as a recommendation :-)


    So far the text I've been able to come up with to address this is
    something like:

    In some cases PyPI sdist archives may be the most appropriate
    upstream source tarball (then your "use your best judgement..."
    as a conclusion) :-)

    It would be really nice to include technical reasons that describe cases
    where PyPI is more appropriate, but I don't know any. My experience in
    Debian thus far has been that "what most closely fulfils Debian ideals"
    is always preferable to upstream preference. Yes, that's arguably
    insular, but I thought there was consensus on this.

    And yes, I agree moderate is better, but I must sadly confess ignorance
    to the technical reasons why PyPI is sometimes more appropriate.
    Without technical reasons it seems like a case of ideological compromise
    (based on the standards I've been mentored to and the feedback I've
    received over the years).

    Thanks!
    Nicholas

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQJEBAEBCgAuFiEE4qYmHjkArtfNxmcIWogwR199EGEFAmDWYFMQHHN0ZW5AZGVi aWFuLm9yZwAKCRBaiDBHX30QYTsgEAC133vBploCgIio4s+/vSpT+mhxUjt0lGXt zpRuzrB852yfFcMGZzwgoluiA4CEThh5Cczit8eYSIMm8xWW+8i/l4a5HlbcWFhk TGyVtWNm1YQhUPKWA8dvgQJP/7+d7ozPvAeZXEPfQy2XGEwx349QGZPD0Dph263v 0Pz+Uk0o2poVDSxebvAl8scVjbVlBgIystCSm2IqKcZ6jOLkkiXF1S6G7l2Rr8mu /VqJixlUf8JGpMwr/6mpDmq+I581T9iGf8rU6qfW9hMC5NV1OWECs+RJqZCsQdfH 3FIguvjqC9zl8ZeXPvDMAGNsbIJChK0oW5fFlcR3XjcV7e3g8OwQAL4ZTJ2H2Xy9 WDKUIp81+FOKpSWu/vnxMo7r1mULvnFu7Kw69J4SAh9eWgq+BqKXoMGCugJl8NnY ivYLXR933hnsSYeTDSza8MMzAQjJleB2aR6Ox+V2MVOzkdcXb3FAIl/B3C62+s9Q zJWL+Sjwtp8RK4gQPcCQP8mYFsfuXaMAP5+ptoYzW1/Kx4SDujfbnxJEXxNE1Ghy a1B9rBYIKgDK8tsg4128LrA54dOJBTsyhL89/6wrRRR/vZkCeeFFYdJLVuGNnxeb Mdc8BkGkdW0GKeMMaRXqa/rvn8DB8XnHH6wNtyD+ydr8FjrcU0SWdoZKsL2/Kn9w 6LHEZm7gXg==0jqR
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Nicholas D Steeves@21:1/5 to All on Sat Jun 26 02:10:01 2021
    Hi Jeremy!

    Wow, you've given me a lot to think about. Thank you :-)

    Yes, I agree with you that my MR doesn't adequately address the much
    more heterogeneous reality. (and is also indelicate, lacks nuance, etc)
    I'll take a day or two to think about this, and also to take into
    account what everyone else has written before making revisions for v2.
    If I do it right now my work won't be rigorous enough, nor fair to the contributions others have made to this thread. If nothing else it will
    require careful outlining...

    Maybe the heading should be:

    How to choose a source for the tarball (and why this can be difficult) ======================================================================

    ;-)

    Take care,
    Nicholas

    -----BEGIN PGP SIGNATURE-----

    iQJEBAEBCgAuFiEE4qYmHjkArtfNxmcIWogwR199EGEFAmDWb8cQHHN0ZW5AZGVi aWFuLm9yZwAKCRBaiDBHX30QYYlAEACJ4sHQ+M0cKQO1xNrsNmykf8d7XyNRA4Wq U9sw23mT7vzcfKQqsfFeY7q0H97AAGpEl67WnDBEqPoy9MxQfHBvlV4eDFdJOnoW Nxd1rPVwbJcwB2jIUDvAw2ffGC5ANtisv+RdqWqOJ7UhNbfKC4toQ4D65Wm8/BzD YT9JkOiIpMPxlM8XbgA1GdVsO0L5c0vcC2Pr6TiLKUm3WVTXbxhMxK/D5fxuWKpG OKmAe2AJ+3oQDCI5JMMYFNhRDAalDevrq3Gjaj/4gyrLcA/6CpvEzkL2EjTsvSm9 VY+tGWQRlOV/Nk0dQ3C8iSMCvrTw0iRuV2yxVRR1eZb2GGSIqfKsyGaUB2fjRVOg cWfDhf+LSuIe5lxfHgGIJ43KIArw5Nyg41xn8ddEgaOsPBp0IQn513Pwpb5rRaUf VFBtQdfC5kaF9NSLs7XNeJOP6LED0kYlm0aoDkAHTxi4HjJb/HHMjMuZtsZYE5DY LXboQ56nDFcGc8ojB4oanV5EpOjAFDm4TgdOHnp/7c+/mQC2iyFZkI3ig2pPZe01 payajCXPYR0cZzCzb15C3qMhMUPtT7Bp8NO6Ul8bLPPTd6fYPxN08KeqChN7hy54 k1GwRGnnW1w6ag/CQKwpk0ojWFWeqSaOzVv4sF1YmFoQXqeNge/LZi8bX71Eac4v
    +hfBNwU6JQ==
    =pDdu
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeremy Stanley@21:1/5 to Nicholas D Steeves on Sat Jun 26 01:50:01 2021
    On 2021-06-25 18:29:19 -0400 (-0400), Nicholas D Steeves wrote:
    A recommendation is non-binding, and the intent of this proposal is to
    say that the most "sourceful" form of source is the *most* suitable for Debian packages. The inverse of this is that `make dist` is less
    suitable for Debian packages. Neither formulation of this premise
    applies to a scope outside of Debian. In other words, just because a particular form of source packaging and distribution is not considered
    ideal in Debian does not in any comment on its suitability for other purposes. Would you prefer to see a note like "PyPi is a good thing for
    the Python ecosystem, but sdists are not the preferred form of Debian
    source tarballs"?

    To reset this discussion, take the case of an upstream like the one
    I'm involved with. For each project, two forms of source release are
    made available:

    1. Cryptographically signed tags in a Git repository, with
    versioning, revision history, release notes and authorship either
    embedded within or tied to the Git metadata.

    2. Cryptographically signed tarballs of the file tree corresponding
    to a tag in the Git repository, with versioning, revision
    history, release notes and authorship extracted into files
    included directly within the tarball.

    If some alternative mechanism is used to grab only the work tree
    from a checkout of the Git repository, critical information about
    the software is lost, making it uninstallable in some cases (can't
    figure out its own version), or even illegal to redistribute
    (missing authors list referenced from the copyright license).

    So in this case you have a few options: package from upstream's Git
    repository, package from upstream's "release tarball" (which happens
    to be in Python sdist format because the egg-info is used to hold
    information extracted from their Git metadata), or use something
    which is neither of those and then have to rely on one of them
    anyway to supply the missing bits.

    It's also worth mentioning that upstream's "official release"
    preference is not necessarily relevant to a Debian context. Take
    for example the case where upstream exclusively supports a Flatpak
    and/or Snap package...
    [...]

    The problem is that you seem to want to talk in absolutes. Sure some
    (I'll wager many) Python projects can be reasonably packaged from a
    flat dump of the file content in their revision control. There are
    many which can't. Sure some upstreams may only want to release
    Flatpaks or Snaps, or may even be openly hostile to getting packaged
    in distributions at all. There are also quite a few which don't host
    their revision control in platforms which provide raw tarball
    exports generated on the fly. Some sdist tarballs leave out files, I
    agree, but they don't have to (ours don't, we only add more in order
    to supply the exported revision control metadata).

    Saying that a raw dump of the file content from a revision control
    system is recommended over using upstream's sdists presumes all
    upstreams are the same. They're not, and which is preferable (or
    doable, or even legal) differs from one to another. Just because
    some sdists, or even many, are not suitable as a basis for packaging
    doesn't mean that sdists are a bad idea to base packages on. Yes,
    basing packages on bad sdists is bad, it's hard to disagree with
    that.

    Thinking about an ideal solution, and the interesting PBR case, I
    remember that gbp is supposed to be able to associate gbp tags with
    upstream commits (or possibly tags), so maybe it's also possible to do
    this:

    1. When gbp import-orig finds a new release
    2. Fetch upstream remote as well
    3. Run PBR against the upstream release tag
    4. Stage this[ese] file[s]
    5. Either append them to the upstream tarball before committing to the
    pristine-tar branch, or generate the upstream tarball from the
    upstream branch (intent being that the upstream branch's HEAD should
    be identical to the contents of that tarball)
    6. Gbp creates upstream/x.y tag
    7. Gbp merges to Debian packaging branch.

    You'll either need a copy of the upstream Git repository or at least
    some of the files generated from that repository's metadata which
    has been embedded in the release tarball. I understand the desire to
    not put files into Debian source packages which can be generated at
    package build time from other files in Debian, but when those files
    can't be generated without the presence of the Git repository itself
    which *isn't* files in Debian, using the generated copies supplied
    (and signed!) by upstream seems no different than many other sorts
    of data which get shipped in Debian source packages.
    --
    Jeremy Stanley

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmDWabNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WClZZA/9EqCPj6ajtO7olQPcQrOp8ctpCiwp4MKKyoRTpHvh1jYvyIt1q+xn6fCB GKm5RToLSsiDoVbEEnKVEJmiT9lTU4K8bDUXkUpXLWHk/Ha4tVUX2SjVhkimLQag aF2pheYFsl8XAoSCP2RLPxMPjgVyilc/fW2znUXEynqB6wDUTI2+4kMLXYLr2RYX q9NqC5zBSkJuGLD0RnaWhsQxGFIrQaUvwO10Fngkvf+XtYnqg47IDXA8HcixWu2y oDjAW8l9E8zrRuAx+Wn4cEwHdXeIHiL4EP5nI/WH2L/RywJMxTK6Fxkd83n7GdwW 99tb6NLqW1oxthhDHlZdrxBCBsNKtOY5nTaYr/iJXRxmWsfJrnQTVEUIw7JwWE11 AQCWZFO7nFqXBtivGNKyZi7EvqvZbigTYVidniWqq7MUs+zaUZqr56PnWHv+KReT TsKoQ2dhaMkV7wTv+skWt7TFrkh3Fq+4n63//G7m1dWvDbmiaxskr+vgXQ64Ni9b MqaPl5eUgPKXFT2Dblsod6EPuefquReaxKfHN6iusNI9dbssz0zVsOLRRcnyyWMO ODZx0ZecvBhUCUJbVrNdazXa+UHVgUpLUixpSNoQCq7F+hju02wIgXRAak9RYgPm NWjiuZ5380oSv7KP/iY3gCCXks8fTksrUvrvjsS8dzT2D2MQ8D8=
    =VV8e
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32
  • From Jeremy Stanley@21:1/5 to Nicholas D Steeves on Sat Jun 26 02:00:01 2021
    On 2021-06-25 19:01:39 -0400 (-0400), Nicholas D Steeves wrote:
    [...]
    And yes, I agree moderate is better, but I must sadly confess
    ignorance to the technical reasons why PyPI is sometimes more
    appropriate. Without technical reasons it seems like a case of
    ideological compromise (based on the standards I've been mentored
    to and the feedback I've received over the years).

    Hopefully my other replies here and in Salsa have provided some
    fairly large counterexamples for you. If those still aren't entirely
    clear, I'm happy to go into deeper detail or broaden to related
    examples elsewhere in the ecosystem.
    --
    Jeremy Stanley

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmDWbLNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WClQSg/+INn0cQa44AhdhpvReGoI7MowyR9nVZHjPBtippiteP6xjvJ1LOa2Inww d4P2MYp29SPIzII93YBuITSGhZ3kbZY3Eed4S9MvjOd6dV6BEz6/0E5hFzsFKz2r krrHSfW4uIzl1g8kNDVNDi5B2IvzyZE0PsayqO3Pr4PwEMeGegUWOj44RPZ08c5B 3Q3WfC3am9RQfXZGTgvgw0uTkIGhyWebikt2uT0+04U/DeU/nIuUtSTUnLixRMBo i4l8/t3cKS1shiGJX9IcLAiggA20RSUgN/vrfCaP77DLG6EKR1NZRTnc4TM77BM/ yoeVymtOzepo/n8ukskB80x/ZnD4MuVXO1kC0+owg1jx5ULt/iNjeIuN/mX2T/9A B3XDSP6WCh0e/fRHSjYQUwnHWS6ErGV/xmjdjmJYgdq5sriAB7FyQTufCcf8GrP3 7aFRfhuZb2dDDjL4yMS86BlG7zpEqZON8pKbvJ2MWTIkhl6TW3TMQJnb2tBZ1uu7 6d6yRSWKsIn33HP30GQugUygxReapl6flhCyO+DRrfJrbWmOrOD+sXbUq871G1IK 7/+njMk8WUvAyk7kXY3+p11vLjm8sPC+p1VkIxMafYDfodZeuXVOZSHqUCGoiNAD bTD5/YBnbz4phXggAxhmI9u3SPI1pPXa0BY3Ci6CaHAxNi54L6Y=
    =iJVb
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32
  • From Paul Wise@21:1/5 to All on Sat Jun 26 04:10:01 2021
    On Fri, Jun 25, 2021 at 11:42 PM Jeremy Stanley wrote:

    1. Cryptographically signed tags in a Git repository, with
    versioning, revision history, release notes and authorship either
    embedded within or tied to the Git metadata.

    2. Cryptographically signed tarballs of the file tree corresponding
    to a tag in the Git repository, with versioning, revision
    history, release notes and authorship extracted into files
    included directly within the tarball.

    I would like to see #2 split into two separate tarballs, one for the
    exact copy of the git tree and one containing the data about the other
    tarball. Then use dpkg-source v3 secondary tarballs to add the data
    about the git repo to the Debian source package.

    Saying that a raw dump of the file content from a revision control
    system is recommended over using upstream's sdists presumes all
    upstreams are the same. They're not, and which is preferable (or
    doable, or even legal) differs from one to another. Just because
    some sdists, or even many, are not suitable as a basis for packaging
    doesn't mean that sdists are a bad idea to base packages on. Yes,
    basing packages on bad sdists is bad, it's hard to disagree with
    that.

    Probably we should start systematically comparing upstream VCS repos
    with upstream sdists and reacting to the differences. So far, I've
    reacted by ignoring the sdists completely.

    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Wise@21:1/5 to All on Sat Jun 26 04:00:02 2021
    On Fri, Jun 25, 2021 at 9:17 PM Jeremy Stanley wrote:

    The proposal is somewhat akin to saying that a
    tarball created via `make dist` is unsuitable for packaging.

    This is definitely true; they generally contain generated files
    (configure, Makefile.in) and embedded code copies (missing install-sh
    depcomp config.sub config.guess etc), neither of which should be part
    of the "source".

    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Brian Thompson@21:1/5 to Nicholas D Steeves on Sat Jun 26 05:50:02 2021
    On Fri, Jun 25, 2021 at 07:01:39PM -0400, Nicholas D Steeves wrote:
    Does PyPi provide immutable releases?

    From experience, I can tell you that yes, releases cannot be overwritten,
    but they can be "yanked". Pypi states that a yanked release is:

    "A release that is always ignored by an installer, unless it is the
    only release that matches a version specifier (using either '==' or
    '===)."

    --
    Best regards,

    Brian T

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEg2s9vY2mGY7y4pi9hN+ATWfRmqIFAmDWo1IACgkQhN+ATWfR mqJCUQ//SDfBAmeHCcn58WpMb4eDMg+of+8tRzWJaaY/5QEbMmN97r85gK8sblHZ mZ9gCp9w6RmrPER0Q69cWt/k8cteCq/kPmKE3y3EZyHwDBYpqvgIHGKgMAC1lE72 pAFSejjClK3wh9S7Z9/lwulVC6tc0bSTudrWzPaD2HA+LMZJ+9Jdw0gbBdd5SmXb JdQaxlNdiZoeDododzTyuarQwo8lN8aXFDeGgtB7SsFO+8WbleSWXyhybS4Yin1Z kmrJhyXB3z1EEom0KCGeZTGIwRgdJL071uJ8ymc2K++CeoaUoDQWq1lPzDOagcMD +MJsQ0PE0z/62u8uuvvLDWe/kgq3bOIfi3RWeldF6f557QwADktv9OwzwW9cQbm5 0RQ/RBwq6pMeBttTJx1OGVoAEChE7oyPqqUrg6lxI/l8Bp6J2ADT5uSW52lAUXP5 fFVD3s+4E/QOOXZNvN7uR/09ykCRgEQ23fC04Eywe99yQVh2OvEbIx/yGePjp7Jb GU/91kRQVjNI0t6b44HAZKnlD9zLvp0cBaQeP3SG7YYSxQCXGK/xp+cZju0t0SLT fu3yGk8W8P8Z09StRFc3UfHvZAQO3QA8CPG1AW/fh/MUdnFrcnxkcvbcWXssCLNP EX/4WPXoA8FTNAikb0DTD0hYH6HwG9R1P0/mJxs4GA4DajFL6/I=
    =G/HO
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Donald Stufft@21:1/5 to All on Sat Jun 26 06:30:01 2021
    File names on PyPI are write once. Once a specific file name has been used it can never be used again (even if the entire project was deleted and recreated).

    Projects can delete uploaded files (and as mentioned they can be yanked, but yanking is just extra metadata beside the file), but file content can never change, only be removed.

    Sent from my iPhone

    On Jun 25, 2021, at 11:47 PM, Brian Thompson <brian@hashvault.io> wrote:

    On Fri, Jun 25, 2021 at 07:01:39PM -0400, Nicholas D Steeves wrote:
    Does PyPi provide immutable releases?

    From experience, I can tell you that yes, releases cannot be overwritten,
    but they can be "yanked". Pypi states that a yanked release is:

    "A release that is always ignored by an installer, unless it is the
    only release that matches a version specifier (using either '==' or
    '===)."

    --
    Best regards,

    Brian T

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeremy Stanley@21:1/5 to Paul Wise on Sat Jun 26 06:20:02 2021
    On 2021-06-26 02:04:40 +0000 (+0000), Paul Wise wrote:
    On Fri, Jun 25, 2021 at 11:42 PM Jeremy Stanley wrote:
    [..]
    2. Cryptographically signed tarballs of the file tree corresponding
    to a tag in the Git repository, with versioning, revision
    history, release notes and authorship extracted into files
    included directly within the tarball.

    I would like to see #2 split into two separate tarballs, one for the
    exact copy of the git tree and one containing the data about the other tarball. Then use dpkg-source v3 secondary tarballs to add the data
    about the git repo to the Debian source package.
    [...]

    You might like to see them split, but why is the exact copy of the
    work tree the only legitimate way to export data from a Git
    repository? Adding egg-info to the tarball creates a *Python Source Distribution* which is a long-standing standard method for
    distributing source code of Python software. Those files could even
    be checked directly into the repository, so that the work tree was
    itself also a valid sdist. The only reason the projects I work on
    don't do that is because some of it would be redundant with the
    metadata from the revision control system.

    You could of course create your own split tarballs of the work tree
    and the additional metadata files, but to what end? If upstream is
    already delivering them together in a release tarball, how is making
    your own beneficial when it still has to be done by the package
    maintainer before assembling the source package? Users of Debian
    don't benefit, because they still can't recreate your split tarball
    if they wanted without also having a copy of the upstream Git
    repository anyway. It just seems like make-work.

    Probably we should start systematically comparing upstream VCS repos
    with upstream sdists and reacting to the differences. So far, I've
    reacted by ignoring the sdists completely.

    I highly recommend it. We explicitly test that our sdists don't omit
    files from the Git worktree (sans .git* files like .gitignore and
    .gitreview which make no sense outside the context of a Git
    repository). On the other hand, I've found at least one case where a
    copyright statement in a Debian package refers to an AUTHORS file
    shipped as part of the sdist, but since the maintainer chose to
    package it from Git instead and did not generate that file when
    doing so, it's not included in the packaged version distributed in
    Debian. (Not linking the bug report here as I don't want it to seem
    like I'm picking on the maintainer.)

    Just to reiterate, as an upstream we don't consider the work trees
    of our Git repos to be complete source distributions. They can be
    used along with the versioning and history tracked as part of the
    repository to generate a complete source distribution, and that's
    what we officially release. Downstream distributions are encouraged
    to either use our release tarballs or clones of our Git repositories
    to recreate the same files we would release, but if you choose to do
    neither of those you're likely to miss something.
    --
    Jeremy Stanley

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmDWqpFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCmtVRAAvrHG+MPaoZkrchnWafa4KWJGOd8O3ayV0r67A8afEbl0rYK5d5ifaG4M B11Fn1klZaGAEIoXJEpmelgjwVtXsEVJ+mDHIi8ljEc573h3W4nMUQLi1Ntugqhu 2hs+e9hBV6nOL3/XE0qfGA4MrQiB6c13kl8tgzaZ4rj8PH5b0wLQdvfCY2OvtTKv kgKgOwFoLZ7h5lV/i3YrQsSnqBCm48TFTW5ouc+B0eLjD0T5zbdUPmb5NwrkxnzC fiXaTHLC9IPyFA5zFoqErgotAi3RhGJkYfB1pVn6V5dFF79MbXS+emWnYRi8qZyb MEK44o0hanmPPRTYtidbkgOUHAq8Q06AaYZ/jbkLypjne54sc6ifS3kc7/jXba3j JeljH3S+J+gq85IvQQTU0BfbCRVJhFTqz1IPzsdDkNvC+3UI6ax6yup5mpAQ8cw0 TH/BGsH2hVAjEYWEgDWSMnC0jEHsw50a9ok57k/ryOPduxKc53Rvb41yAS4fSPo3 tPhTidMD6tfPdpD5wQJlV7sAFSDDYqGFb11ndlOMZSZsGvJ+5m2qTKNAZxCp/16p YTgtm2zdQB3Ph2OaGk7AOYPVwo7LR9efG7It/ArLiWgbZ2dYfNaNv7mLJ/4yohRl 0mX0PY3Pg6YhrCPiu6HOLQ0PJUY/SZKpUGR2pIUWQJr6hgi6Qpo=
    =CQr+
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32
  • From Martin@21:1/5 to Paul Wise on Sat Jun 26 11:30:02 2021
    On 2021-06-26 02:04, Paul Wise wrote:
    I would like to see #2 split into two separate tarballs, one for the
    exact copy of the git tree and one containing the data about the other tarball. Then use dpkg-source v3 secondary tarballs to add the data
    about the git repo to the Debian source package.

    IIRC, last time I tried multiple tarballs, I got stuck with
    pristine-tar. Not sure, if I didn't find out how to commit or
    if the problem was with checkout, though.

    Do you happen to know, if this is an issue?

    PS: Just for the record: I'm always(?) using upstream sources
    from git, not PyPi, because the latter typically are missing
    unit tests, which we want to run in Debian.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon McVittie@21:1/5 to Nicholas D Steeves on Sat Jun 26 12:20:02 2021
    On Fri, 25 Jun 2021 at 18:29:19 -0400, Nicholas D Steeves wrote:
    Take for example the
    case where upstream exclusively supports a Flatpak and/or Snap
    package...

    Flatpak and Snap aren't source package formats (like Autotools "make dist"
    or Meson "meson dist" or Python sdist), they're binary package formats
    (like .deb or Python wheels).

    I don't know Snap infrastructure well, but Flatpak apps are built from
    a manifest that lists one or more source projects, referenced as either
    a VCS commit with a known-good commit identifier (usually git) or an
    archive with a known-good hash (usually tar and sha256). The manifest
    format and the upstream-recommended Flathub "app store" infrastructure
    try to push authors towards building from source, although as with
    .deb, technically it's possible to release an archive containing binary
    blobs and use it as the "source" (which is how proprietary apps like com.valvesoftware.SteamLink work, similar to many packages in the non-free archive area).

    If the upstream only provides source via their VCS, then obviously we
    have to use `git archive` or equivalent because we have no other way to
    get a flat-file version, and the experimental dpkg-source format
    "3.0 (git)" isn't currently allowed in the Debian archive. If the upstream releases tarball artifacts and builds their Flatpak app from those, we can
    use those too.

    I think the problem case here is when the upstream releases something that
    has the name and format we would associate with a source release, but
    has contents that are somewhere between a pure source release and a binary release. Autotools "make dist" has always been a bit like this (it contains
    a pre-generated build system so that people can build on platforms where
    m4 and perl aren't available, and it's common to include pre-generated convenience copies of things like gtk-doc documentation); Python sdist
    archives are sometimes similar. In both Autotools and setuptools, it's
    also far too easy to have files in the VCS but accidentally omit them from
    the source distribution, by not listing them in Autotools EXTRA_DIST or in setuptools MANIFEST.in.

    What I have generally done to resolve this problem is to use the upstream's official source releases ("make dist" or sdist), and if they are missing
    files that we want, send merge requests to add them to the next release
    (for example https://gitlab.gnome.org/GNOME/gi-docgen/-/commit/5fcaba6f
    and https://github.com/containers/bubblewrap/commit/1c775f43),
    and if necessary work around missing files by shipping them in debian/
    (for example https://salsa.debian.org/gnome-team/gi-docgen/-/commit/f16845d9).

    Several upstreams of projects I work on, notably GNOME, have been
    switching from Autotools to Meson, and one of the reasons I'm in favour
    of this tendency is that the Meson "meson dist" archive is a lightly
    filtered version of `git archive` (it excludes `.gitignore` and other
    highly git-specific files, but includes everything else), making it
    harder for upstreams to accidentally omit necessary source code from
    their source releases.

    smcv

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Louis-Philippe_V=c3=a9ron@21:1/5 to Nicholas D Steeves on Sun Jun 27 01:00:03 2021
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --aF76M1cATfH6cz2fu4FapZ86SFgTgGKLN
    Content-Type: text/plain; charset=utf-8
    Content-Language: en-US
    Content-Transfer-Encoding: quoted-printable

    On 2021-06-25 16 h 42, Nicholas D Steeves wrote:
    Hi Team!

    I feel like there is probably consensus against the use of PyPi-provided upstream source tarballs in preference for what will usually be a GitHub release tarball, so I made an MR to this effect (moderate recommendation rather than a "must" directive):

    https://salsa.debian.org/python-team/tools/python-modules/-/merge_requests/16

    I don't often use PyPi releases because of the issues mentioned in the
    MR, but I think Jeremy's point is valid. IMO, rewording the text so that
    it clearly says "should" and not "must" would fix the issues at hand, as
    long as people justify their usage of PyPi when it's "The Right Thing"
    in a file somewhere.

    To me, the most important thing is that all packages must at least run
    the upstream testsuite when it exists (I'm planning on writing a policy proposal saying this after the freeze). If PyPi releases include them, I
    think it's fine (but they often don't).

    --
    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
    ⢿⡄⠘⠷⠚⠋ pollo@debian.org / veronneau.org
    ⠈⠳⣄


    --aF76M1cATfH6cz2fu4FapZ86SFgTgGKLN--

    -----BEGIN PGP SIGNATURE-----

    iHUEARYKAB0WIQTKp0AHB6gWsCAvw830JXpQshz6hQUCYNevbgAKCRD0JXpQshz6 hQTLAP9XQBUIL2v6Tep5ga5XK9nEfTREH1tKWpG/Ma0XRa262gEA9LuJykn0QIek RkG+aoy8bODySRfH+iJac2YQ42T70g4=
    =2jmO
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeremy Stanley@21:1/5 to All on Sun Jun 27 02:20:01 2021
    On 2021-06-26 18:51:26 -0400 (-0400), Louis-Philippe Véronneau wrote:
    [...]
    To me, the most important thing is that all packages must at least
    run the upstream testsuite when it exists (I'm planning on writing
    a policy proposal saying this after the freeze). If PyPi releases
    include them, I think it's fine (but they often don't).

    When you do write that, you'll of course want to clarify what "the
    upstream testsuite" really means too. Lots of projects have vast
    testing which is simply not feasible to replicate within Debian for
    a number of reasons. Running some battery of upstream tests makes
    sense, but testsuites which require root access outside a chroot,
    integration tests orchestrated across multiple machines, access to
    unusual sorts of accelerator or network hardware, and so on can
    easily comprise part of "the upstream testsuite."
    --
    Jeremy Stanley

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmDXwdRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WClIyRAAodlGLDHeHOap2tyluLU5vIZdZ3jmVrTZ6pSPx37cVSpOqmG8iZ5/fuHD SsWRGX70BK8Vcxd9N0qJ2XldAkZwBHGw3sLExTix6CaaXXugPcf1E0XhID+4Ptk4 yzZRf2Y7760Zrd3HOSzihu1xcL7U3wRIUEOA1FPXVqGUft28tJXV+Zj45zYwgLE8 2KpCNpbtyH0MHltUwo1DWk+g9rwFZjdLCjzXpa4Dlg0RoNwz9wi11IIUQVEzjTZu UojQ3R0kwJ0uzuabijwO4D7R8mlPBIlhBFh9f9ow4CjP2pkT5uSofg2R8Wk0RTvU D+UEQI5WsiLyFBZtsIMg50g9GbbX6H9A3r7nWEfUBqxEq1O7gq3MmTgBT6EI3FVV dmVA+mYJcpYf8JAgaqsSoHYO0Fdtq9LUUcrMxFcPuHqi0UvGsTokZoaoXoyP9Sz4 4rGYjVJKw+HjL5pL5zBuroL98lZq9PAbpZKr9DUV1si0avunTY/o0whPrXUUpBYi DVok9CoQoIsgf1032RBm0/FCbt9a/JuDzGr3fX7lYUY+fE33xoYgOnOEOGU+HPpl IehED9jEyJPhK0PYy0TX94ViOzSYiN/jxHge+4cZBN5gzB+xt5pq9irVNe2RLPou Kw2It6YuelcDCjHDnfXWDry53TWq5hOLqRxo5qLexX507j9hQHs=
    =xJER
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32
  • From Emmanuel Arias@21:1/5 to =?UTF-8?Q?Louis-Philippe_V=c3=a9ron on Mon Jun 28 04:50:02 2021
    To: debian-python@lists.debian.org

    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --RZ61CX0iwOCJbmHSqRRIf5zXnwz0kqmSL
    Content-Type: multipart/mixed;
    boundary="------------88E7464731BDD3A7BBB8BC17"
    Content-Language: en-US

    This is a multi-part message in MIME format. --------------88E7464731BDD3A7BBB8BC17
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: quoted-printable

    Hola everybody,

    On 6/26/21 7:51 PM, Louis-Philippe Véronneau wrote:
    To me, the most important thing is that all packages must at least run
    the upstream testsuite when it exists (I'm planning on writing a policy proposal saying this after the freeze). If PyPi releases include them, I think it's fine (but they often don't).

    I was a little surprised because in all discussion anyone take account
    the tests (or if a missed sorry) thanks pollo to get it in discussion. I
    don't have the correct numbers but I saw  many python package without autopkgtest, and if we package from PyPi, that don't contain the
    testsuite, that result in packages with any test, and that isn't good.

    Also, I'm not sure, but the docs aren't in PyPi, isn't?

    In the other hand, files like .git* or CI files, can be easily remove
    it. So, I don't see any problems with that.

    cheers

    --
    Emmanuel Arias
    @eamanu
    yaerobi.com


    --------------88E7464731BDD3A7BBB8BC17
    Content-Type: application/pgp-keys;
    name="OpenPGP_0xFA9DEC5DE11C63F1.asc"
    Content-Transfer-Encoding: quoted-printable
    Content-Description: OpenPGP public key
    Content-Disposition: attachment;
    filename="OpenPGP_0xFA9DEC5DE11C63F1.asc"

    -----BEGIN PGP PUBLIC KEY BLOCK-----

    xsFNBFw1x6oBEADBrJOCQvmkffxnUyGkx74a8xifdgEZLu+Xz6hV7CEyl1/71+8xqIZr9s09w++y Pod938Se/gopqgaXpIx46lKp1EI0F0hFoYne5ub6EsIxcyMCCFwbTeR8CQt2EJ86hpS+FYvbSTbw vNPCNT/EZuyE3KXrZk7j8nhoAobQwTZVE6agRULUTrxtH1q6w6OhBMtAyZpxRmq9nhLEYRvtSm++ pyRK+N40pgUED+psPB12NhpHfMpHfSoUyWKMC/7S34XMp1JQtogO4MFjviUpI8iWjWdqJvs/VWQe 0gQqnH/P4DMKyWdbgJbv9S/kj6r00SsGpMRq15wOcLdEPDST8vb7MDOAG77zBJy3kY3U7JbrWgad wnivD/nNHTeJAC6hFY/rfmKvWUKPyKO+Y+H6g6sWHTEjm/duIrvm2essMb08ebGoIcjDQf6q1nX8 6fDY8EM9L0IueN6CqybD2AyVQbifqA8Z8968Vrhl9TQOemNkHdqhhTHC9/H8osGj4pZF7Rqq3OKG oG61kbmti3142mGtfupCVRyRoLeR6BZF1s1TrXxqCXWtueyw0lCidfCcfYQAYsMsFUQ951BijSj6 0I/KeUmdyjgjfgFthzaG47wr9jQ1Qu
  • From Jeremy Stanley@21:1/5 to Emmanuel Arias on Mon Jun 28 18:30:02 2021
    On 2021-06-27 23:49:18 -0300 (-0300), Emmanuel Arias wrote:
    [...]
    if we package from PyPi, that don't contain the testsuite, that
    result in packages with any test, and that isn't good.

    Also, I'm not sure, but the docs aren't in PyPi, isn't?
    [...]

    This depends entirely on how upstream is creating their sdists. They
    might certainly choose to omit tests or even documentation, but I
    think that's becoming less popular now that wheels exist. It is
    expected for a wheel to omit basically everything except the
    application, licensing information and some metadata. This has
    reduced the pressure on upstreams with massive suites of tests or
    volumes of documentation to strip them out of sdists, making it more
    likely they'll ship full source distributions that way.
    --
    Jeremy Stanley

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmDZ+AZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WClhTg//cMvQO1ow0T/1FAqBnXtBqJrx/uyr1LuHf/dx3hIjbqxu6zdxepC0xCt2 zD75jgxxu9qquMz7+PGG55hhDl+8+hDkgGW3DNL1FU5iZCKNsgF1xPsM5ITFPfG5 s8Ja2IB0drlvn82v51p+VrynLG1X61mlJhvazgo34iOKGbxVtnCRMgwd6MUXLGWx 4sJrbeL8xnUaLymK/VT7w651HL7dXUd4HJ7CTkyXJSppDJmPJ3ZB1jeVVnm/o0Sq b42QFsfqM6Ml1A/RHFqBfbdYCP4ENY1Dxc4LgH+3jhQqZ3ybpQ1Z5Sw7Em2AyLIA Teo1ZYLatFEHAxad4BJgZLnYPEdDbxbsS6tGQqCrI0nbINYLFLHE5aABM7jWJS7I tDEBl1rdBHUUkOuI6fJIvhJZ7pN5fYCmf2UoFei4eIVCaVDqdc1Yy72SXWDFzs29 TCbJDZ5hqlihAcum7eyXAgCfVdNkjbuy7ZlRSg5GVYBjRDb7Wogga/QcG7Xqj4rp kPb1dFHgPNpEIFgQVOFbISnmXCuCX2TYuPmOzBTcKaEe7cNlFURXIrwocgi4JK3k wSbOUV9IYHEFdZfM0pYCLPGpfZ9A1Z8Px3Ox16qOPPdUjr4akEDb8HhY9f/iomhw mHCca06D8IJMPBm/pnti+7KnHOgVgRkRRRnhhQlQbE/MZV6MaKM=
    =QlKp
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32