Changes between Version 16 and Version 17 of Ticket #13186, comment 12


Ignore:
Timestamp:
Mar 21, 2025, 1:38:17 PM (3 weeks ago)
Author:
Robin Candau

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #13186, comment 12

    v16 v17  
    1717> The first type is completely unproblematic, good job. The problem is with the second type, which always fetches files from upstream.
    1818
    19 Both types of package managers actually implies to fetch files from upstream. The only difference between the first and the second type in that regard is that, in the first type, a package maintainer does the fetching once beforehand (and also compiles the software) so users don't have to do it themselves (as compared to the second type where users execute the recipe themselves locally, which includes fetching files from upstream).
     19Both types of package managers actually implies to fetch files from upstream. In fact, they work the exact same way technically speaking. The only difference between the first and the second type in that regard is that, in the first type, a package maintainer does the fetching once beforehand (and also compiles the software) so users don't have to do it themselves (as opposed to the second type where users do all of this themselves locally).
    2020
    2121Fetching files from upstream, whether it is done by package maintainers in type 1 or users in type 2, is automated as part of the packaging process when packaging a new release. Our packaging tooling automatically fetches files from upstream according to the source URL declared in our build recipes.
     
    5050> As result, for the time being I won't provide stable download links that allow leeching.
    5151
    52 Now that you know that this also creates issues for distribution offering packages through type 1 package managers (which you did not seem to be aware of), is there any chances that your stance changes?
     52Now that you know that this also creates issues for distribution offering packages through type 1 package managers (since they actually work the exact same way as type 2 technically speaking), is there any chances that your stance changes?
    5353
    5454While I totally understand your concerns regarding your infrastructure, would you consider providing a mirror for source tarballs that do not rely on your infrastructure (or on a different less critical one maybe)? As far as I can tell, that could be a fair compromise that would satisfy all parties?