On 20/01/2011 04:12, John Stowers wrote: > On Wed, 2011-01-19 at 23:02 +0100, Tim Lebedkov wrote: >> Let me explain my concerns in detail. In Npackd (package manager) I >> download packages from different >> locations like >> http://ftp.gnome.org/pub/GNOME/binaries/win32/pygobject/2.26/pygobject-2.26.0-1.win32-py2.7.msi >> To check that the download was OK, I compute the SHA1 checksum of the file. >> For this to work a file placed at a specific URL should never be changed.
We're doing something similar in the aio installer build script and build description file, except they are md5 checksums. > Old installers are *never* deleted nor silently replaced on the GNOME > site. In fact that was the reason for the creation of the -1 variant; to > fix packaging bugs in windows, no PyGObject code was changed so we didnt > think it necessary to make a new PyGObject release with a version bump. Yes. And in the unlikely event where your SHA1 (and by definition our md5) should no longer match for a certain file on ftp.gnome.org, you likely hit a bad mirror. Something like that should then probably be reported as a bug. > I'm think Dieter misunderstood your question and offered an incorrect > reply. See below. Yes, I completely misunderstood the question. My apologies for the confusion. > As mentioned in the release notes, this installer only contains updated > gtk+ runtime, and updated glade installers. PyG* remain unchanged so no > installers were ever silently replaced on the GNOME servers. > > So in conclusion, if the all-in-one installer requires newer component > installer for any other PyG* packages, those component installers will > be uploaded to the GNOME servers with a new filename, and the README and > release notes of the all-in-one installer will make this clear. Indeed, that's the general idea. Regards, Dieter _______________________________________________ pygtk mailing list [email protected] http://www.daa.com.au/mailman/listinfo/pygtk Read the PyGTK FAQ: http://faq.pygtk.org/
