When packaging python packages, why are we using the source tarballs hosted on PyPI, rather than using the source tarballs hosted on the websites of the individual projects?
For example, for the package python-pycrypto, why are we using the tarball from PyPI https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz instead of the tarball from the pycrypto project website https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz ? Using the PyPI tarball seems to make Guix dependent on another package repository -- namely, PyPI. That seems to me a bad thing. I have packaged a few python packages using the tarballs from their respective project websites. Should I change them to use the PyPI tarballs before contributing the package definitions to Guix? Which tarball should I prefer? Regards, Arun
signature.asc
Description: PGP signature
