On 09/03/2012 09:46 AM, Branko Čibej wrote:
> On 03.09.2012 03:48, Gary Martin wrote:
>> There is another interesting alternative that I noted from a
>> conversation on general@incubator.a.o. It seems that there is at least
>> one podling (Apache Stanbol) that has a 'deps' source package that is
>> used alongside their main release. I am not sure whether we should be
>> looking to a similar approach as the reasoning behind it may not match
>> ours. There are, however, some nice features associated with this
>> approach. For instance, a deps package as a whole could (presumably
>> must) be signed. In contrast, it seems that code signing is usually
>> lacking on packages on pypi - I assume that we could not provide PGP
>> signatures on a package by package basis with an alternate package index.
> Subversion had such a deps signed source package before it came to
> Apache; later we discontinued that because some optional dependencies do
> not have a compatible license, so instead we ship a script that
> downloads the dependencies.
>
> License issues may prevent Bloodhound from releasing such a source
> package, but you'd know more about the details of that.
>
> -- Brane
>
I believe that none of these packages have any licensing issues for us.
That may not be enough justification for implementing such a scheme
though. The availability of the deps source tarball pretty much
guaranteed when the main source tarball is available is quite
attractive, along with any advantage from the deps package being signed
as a whole.
Cheers,
Gary
|