-
-
Notifications
You must be signed in to change notification settings - Fork 514
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
2 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f516cf5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please meke next time github release a well because github sends watch notification only if it is new entry in https://github.com/python-websockets/websockets/releases
f516cf5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, you cannot get information about new versions via GitHub notifications because I don't use GitHub releases.
f516cf5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to add such additional step? 🤔
It would allow use such async noityfications to check quicker new release by more people ..
f516cf5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GitHub automatically generates archives (.zip and .tar.gz) for releases that aren't valid Python packages. There's no way to prevent it. In the past, on another repo, I ran in trouble with people using these archives to install my libraries. That's one of the reasons why I stopped using GitHub releases. The other reason is that it takes quite a bit of manual work to copy and reformat the changelog.
Generally speaking, I would recommend against GitHub notifications for checking if your dependencies are up-to-date. There's a range of tools, including but not limited to dependabot, pip-tools, or poetry, that can be configured to do this with more or less automation, depending on your favorite workflow.
f516cf5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No one is going to use such tar balls as pyhon packages.
However using such tar balls as input resource to produce package makes sense in 100%.
Especially if it is used packaging layer like rpm or other to provide plaform on which will be guaranteed that it will be easy to integrade in build processs any patch from VCS..
So above says that I have ATM +1130 spec files with description of building rpm packages with python modules.
1041 are using as input resource tar ball autogenerated from git tags
All those packages which are usimng VCS tar balls have now integrated almost 600 patches taken directly from exact commits hashes.
I wantoi only to say that we are living in th worrld in which we are dealing with software with many bugs.
It doesn't matter how many of those bugs are still around.
Most important is how quicluy single bug can be soted out and what is total COST of fixing exact issue.
using standard python tooling for now is not possible to provide so low cost as in this case ..
I have already some automations which is processesing release notyfications trying to automatically build new version and if such new package builds correctly and passess some qualification tests only at the end human is involved to approve use of new package version.
In other words such notyfications saves in my distro a lot of time 😋
With that automation working soon I should be able provide automatically generated fidback notyfications that something went wrong.
You will scratch my back and I will do the same 😛
f516cf5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, it looks like we're facing the divergent concerns between "library maintainers" and "distro maintainers".
(I don't know if you're actually "maintaining a distro". At least, you're building RPM packages and installing them system-wide rather than downloading Python wheels and installing them in a virtualenv. So the concerns are the same.)
Now, we have two separate issues here.
Since I tag versions, you can download an archive from GitHub:
I believe this should do the job.
I don't believe that GitHub is the best place for this as far as Python packages are concerned. The standard in the Python community is to release packages to PyPI. This is the most complete database. It doesn't depend on whether a package is maintained on GitHub or elsewhere, what the release workflow looks like, etc.
You can access this information automatically from PyPI:
curl https://pypi.org/rss/updates.xml(then you have look for packages you care about in the stream)curl https://pypi.org/rss/project/websockets/releases.xml(requires scripting 1130 calls)curl https://pypi.org/pypi/websockets/json | jq -r .info.version(same)Even better, you can probably get one source of information for packages written in multiple languages with Libraries.io. I'm not super familiar but I think it's what you want. That should be more robust and easier than getting all maintainers to use GitHub releases.
f516cf5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you will look currently on any Linux, *BSD or even Solatis (Nexenta, OmniOS or Oracle Solaris) distibution you will find that all of those OS distrybutionsfrom from many years no longer relies on what
pipcan do but are trying to form set of packages between which is guaranteed consistency and are fixed known and/or JFDI issues.That is for what sometimes some clients are paying for.
pip is not the tool which has been developed in mind for such things and only relies on what is published on pypi.
As sometimes python modules maintainers are busy/lazy/don't want to release new version after already fixing in git repo some already identified issue there is no other way to deal with how to provide such set of modules with proper ballance of functionality and possible lowest level of known bugs than just use OS level package management tooling.
It is really so simple ..
GH notyfications are only mechanizm which could trigger some additional automatic or manual steps to test new vesion of the software.
Only this and nothing more.
Create GH release it is inly one command .. https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository?tool=cli.
You can do that as well directly over GH API using curl or if do that manually if you wish.
If you have alredy some defined process of release new verion (as for example script) with publishing results on pypi and tagging git repo it will be just yet another line in that definition.
f516cf5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I filed an issue to keep track of this discussion: #1347
I'm not 100% decided yet. If the cost of maintenance is low, I could do it.
PS: your last message makes it very clear that we're in the usual distro maintainer vs. library developer tension...
f516cf5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you 👍
f516cf5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Assuming #1351 works as designed you'll get a GitHub Release for future releases. You have them for all past releases, too, including the new one I made today.
f516cf5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep it works 👍
Thank you 😄