Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

different code is called the same version 1.5.1 ? #41

Open
paulwouters opened this issue Jun 25, 2021 · 2 comments
Open

different code is called the same version 1.5.1 ? #41

paulwouters opened this issue Jun 25, 2021 · 2 comments

Comments

@paulwouters
Copy link

Hi,

I ended up via https://pypi.org/project/fqdn/ to download https://files.pythonhosted.org/packages/30/3e/a80a8c077fd798951169626cde3e239adeba7dab75deb3555716415bd9b0/fqdn-1.5.1.tar.gz

The same pypi page points to this github project as the "home page"

When compared to this git repository at tag v1.5.1, the "fqdn" subdir is identical but there rest is very different. Like one has a LICENSE file and the other does not., one contains a tests/ dir, the other does not. This is kind of a nightmare for packagers, as I now don't know which is the real version, and I have to diff everything to check for malicious stuff.

Perhaps you can do a 1.5.2 release that brings these two sources back into sync?
@ypcrts
Copy link
Owner

ypcrts commented Jul 11, 2021
edited
Loading

Hi! Thanks for raising this concern!

As you mentioned, the v1.5.1 tag ( 5ab747e14a04b461a3836583405a95762a420594 refs/tags/v1.5.1 ) and the v1.5.1 tarball are exactly the same runtime code:

$ sha256sum fqdn/*
b627858d2b709b4b68a031fd8219dd01df838324a22b87f58a6e1ca6f31c71d8  fqdn/_compat.py
79a4dd669a9a77c3f62fa28e33bd20dce86d03fc5afa44f43e612fd445cc7240  fqdn/__init__.py

The distributed tarball is generated by python3 setup.py sdist bdist_wheel then uploaded with twine upload dist/*. Is this setuptools packaging process not okay for you? Are the build artifacts causing a problem for you?

├── fqdn
│   ├── _compat.py
│   └── __init__.py
├── fqdn.egg-info
│   ├── dependency_links.txt
│   ├── PKG-INFO
│   ├── requires.txt
│   ├── SOURCES.txt
│   ├── top_level.txt
│   └── zip-safe
├── PKG-INFO
├── README.rst
├── setup.cfg
└── setup.py

The tarball omits the directories below, which are not used at runtime.

  • docs/ is boilerplate code to pull out docstrings from code
  • tests/ contains unit tests, which are run in CI before distribution

Is there something missing from the tarball that you feel should be there? Can you help me understand what your use case for it would be?

@letoams
Copy link

letoams commented Jul 11, 2021

I would just like to see there is one thing that is called a specific version, not two different things

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@letoams @ypcrts @paulwouters