[Letsencrypt-devel] PyPi vs Git
Harlan Lieberman-Berg
hlieberman at setec.io
Wed Oct 7 02:09:28 UTC 2015
Hello everyone,
With the first tarball release out from Let's Encrypt, it seems we've
run into a bit of a problem. Prior to this, in git, we've been working
off of the assumption that we would be getting a single, monolithic
tarball. With the release to PyPi, though, now all of the binary
packages that we have been building are in separate source packages.
As I see it, we have a couple of options. We could:
1. Create separate source packages for all of the binary packages, and
figure out the logical way to install the docs (probably as a second
binary package off of the main letsencrypt client).
2. Assemble the tarballs into a single tree, and then use that as the
source orig.tar.gz for a single source package. We have to be a bit
careful when merging them, since some of the files themselves may need
to be interleaved.
3. Use signed tags from git, instead of the bundles sent to PyPi.
#3 is certainly the easiest, and since all of the packages are going to
need lock-step dependencies for the moment, that may be the right thing
to do, even. Eventually, though, we may see split development
repositories. To some degree, considering how often they are going to
be updating in the near future, I would rather trade not-great practice
for agility at the moment.
They are going to be GPG signing the tags which, although doesn't
provide exactly the same security as a GPG signed tarball, is probably a
safe bet.
What are all of your thoughts?
--
Harlan Lieberman-Berg
~hlieberman
More information about the Letsencrypt-devel
mailing list