On 2024-04-03 00:33:47 +0200 (+0200), Thomas Goirand wrote: [...] > Also, sdists are *not* "upstream-created source tarballs". I > consider the binary form built for PyPi. Just like we have .debs, > PyPi has tarballs and wheels, rather than how you describe them. [...] Upstream in OpenStack we believe we are distributing source tarballs in sdist format. We produce and sign them, and serve them from multiple locations. When you rebuild from a Git tag of an OpenStack repository using a standard Python packaging ecosystem toolchain, SetupTools is generating an ephemeral sdist on the fly in order to set the metadata PBR and other components need. I think it's fine that you'd rather rebuild the source distributions from revision control than use the ones published by the OpenStack community (we sign our tags with the same OpenPGP key as our tarballs anyway), but it's merely your opinion that sdists are *not* "upstream-created source tarballs" (an opinion *not* shared by everyone). -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature