Skip to content

A discussion on helping downstream packaging #1791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 32 commits into from
Feb 26, 2025
Merged

A discussion on helping downstream packaging #1791

Changes from 4 commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
96058cc
Start a discussion on helping downstream packaging
mgorny Jan 27, 2025
b4cb7d2
Add a section on Internet access
mgorny Jan 27, 2025
df7081c
Also suggest the option of splitting test data into separate archive
mgorny Jan 27, 2025
cff76df
Add a section on system dependencies
mgorny Jan 28, 2025
be242a8
Add a section on downstream testing
mgorny Jan 28, 2025
9f9af53
Expand on downstream testing, and add emphasis for readability
mgorny Jan 29, 2025
00f39e5
Reorganize into why/how sections, and add emphasis
mgorny Jan 29, 2025
08c70e8
Elaborate a bit more on why it's good to help downstreams
mgorny Jan 29, 2025
24f552e
Correct "pytest" capitalization
mgorny Jan 29, 2025
24b0346
Apply suggestions from code review
mgorny Jan 30, 2025
16288af
Apply more suggestions from code review
mgorny Jan 30, 2025
b4c7485
Attempt addressing the remaining review comments
mgorny Jan 30, 2025
df0c91a
Add a section on stable channels
mgorny Jan 30, 2025
fc72a38
Retitle as "Supporting downstream packaging"
mgorny Jan 31, 2025
24462f4
Add a "not all-or-nothing" sentence
mgorny Jan 31, 2025
29cc38a
Add a note that downstreams can send patches to fix these issues
mgorny Jan 31, 2025
9d5fbe6
Capitalize Git, per @pawamoy
mgorny Feb 1, 2025
4d95da2
Fix inconsistent case in bullet points and remove duplicate
mgorny Feb 1, 2025
6f55709
Apply typo fixes, thanks to @pawamoy
mgorny Feb 1, 2025
548ab34
Clarify that source distribution needs only package's files
mgorny Feb 1, 2025
e925da1
Fix inconsistent whitespace between sentences
mgorny Feb 1, 2025
0eb407c
Make the point of reusing source distribution lighter
mgorny Feb 1, 2025
94743f9
Clarify the Internet part
mgorny Feb 1, 2025
704d1a5
Apply suggestions from code review
mgorny Feb 1, 2025
e596609
Remove duplicate paragraph
mgorny Feb 1, 2025
169281d
Clarify source distributions
mgorny Feb 1, 2025
bb8ac35
Add non-reproducibility argument for changing resources
mgorny Feb 1, 2025
addf891
Mention removing duplication of patches and inconsistency
mgorny Feb 2, 2025
8a3a56c
Reword installing tests to make it clearer
mgorny Feb 2, 2025
58eaf85
Give an example of "catastrophic failure"
mgorny Feb 2, 2025
76aaf79
Indicate that some distributions require building from sources
mgorny Feb 22, 2025
4f97860
Merge branch 'main' into discussion-downstream
ncoghlan Feb 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 24 additions & 14 deletions source/discussions/downstream-packaging.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ a few important reasons to provide a static archive file instead:
How?
~~~~

Ideally, **a source distribution archive should include all the files
Ideally, **a source distribution archive published on PyPI should include all the files
from the package's Git repository** that are necessary to build the package
itself, run its test suite, build and install its documentation, and any other
files that may be useful to end users, such as shell completions, editor
Expand All @@ -108,20 +108,30 @@ the files listing these dependencies (for example, ``requirements*.txt`` files)
should also be included, to help downstreams determine the needed dependencies,
and check for changes in them.

Some projects are concerned about increasing the size of source distributions,
or do not wish Python packaging tools to fall back to source distributions
automatically. In these cases, a good compromise may be to publish a separate
source archive for downstream use, for example by attaching it to a GitHub
release. Alternatively, large files, such as test data, can be split into
separate archives.
Some projects have concerns related to Python package managers using source
distributions from PyPI. They do not wish to increase their size with files
that are not used by these tools, or they do not wish to publish source
distributions at all, as they enable a problematic or outright nonfunctional
fallback to building the particular project from source. In these cases, a good
compromise may be to publish a separate source archive for downstream use
elsewhere, for example by attaching it to a GitHub release. Alternatively,
large files, such as test data, can be split into separate archives.

On the other hand, some projects (NumPy_, for instance) decide to install tests
in their Python packages. This has the added advantage of permitting users to
run tests after installing them, for example to check for regressions
after upgrading a dependency. Yet another approach is to split tests or test
data into a separate Python package. Such an approach was taken by
the cryptography_ project, with the large test vectors being split
to cryptography-vectors_ package.

A good idea is to use your source distribution in the release workflow.
For example, the :ref:`build` tool does exactly that — it first builds a source
distribution, and then uses it to build a wheel. This ensures that the source
distribution actually works, and that it won't accidentally install fewer files
than the official wheels.

Ideally, use the source distribution also run tests, build documentation,
Ideally, also use the source distribution to run tests, build documentation,
and so on, or add specific tests to make sure that all necessary files were
actually included. Understandably, this requires more effort, so it's fine
not do that — downstream packagers will report any missing files promptly.
Expand Down Expand Up @@ -151,6 +161,8 @@ of reasons:
unavailable, making the build no longer possible. This is especially
problematic when someone needs to build an old package version.

- The remote resources may change, making the build not reproducible.

- Accessing remote servers poses a privacy issue and a potential
security issue, as it exposes information about the system building
the package.
Expand Down Expand Up @@ -271,12 +283,7 @@ message rather than fall back to a vendored version. This gives the packager
the opportunity to notice their mistake and a chance to consciously decide
how to solve it.

Note that it is reasonable for upstream projects to leave *testing* of building with
system dependencies to their downstream repackagers. The goal of these guidelines
is to facilitate more effective collaboration between upstream projects and downstream
repackagers, not to suggest upstream projects take on tasks that downstream repackagers
are better equipped to handle.
Note that it is reasonable for upstream projects to leave *testing* of building with
It is reasonable for upstream projects to leave *testing* of building with
system dependencies to their downstream repackagers. The goal of these guidelines
is to facilitate more effective collaboration between upstream projects and downstream
repackagers, not to suggest upstream projects take on tasks that downstream repackagers
Expand Down Expand Up @@ -464,3 +471,6 @@ as well. Some specific suggestions are:
.. _pytest-rerunfailures: https://pypi.org/project/pytest-rerunfailures/
.. _pytest-timeout: https://pypi.org/project/pytest-timeout/
.. _Django: https://www.djangoproject.com/
.. _NumPy: https://numpy.org/
.. _cryptography: https://pypi.org/project/cryptography/
.. _cryptography-vectors: https://pypi.org/project/cryptography-vectors/