Re: [pygtk] ANNOUNCE: PyGTK All-in-one Installer 2.22.6

[Dieter Verfaillie <dieterv optionexplicit be>]

On 20/01/2011 04:12, John Stowers wrote:
> On Wed, 2011-01-19 at 23:02 +0100, Tim Lebedkov wrote:
>> Let me explain my concerns in detail. In Npackd (package manager) I
>> download packages from different
>> locations like http://ftp.gnome.org/pub/GNOME/binaries/win32/pygobject/2.26/pygobject-2.26.0-1.win32-py2.7.msi
>> To check that the download was OK, I compute the SHA1 checksum of the file.
>> For this to work a file placed at a specific URL should never be changed.

We're doing something similar in the aio installer build script and
build description file, except they are md5 checksums.

> Old installers are *never* deleted nor silently replaced on the GNOME
> site. In fact that was the reason for the creation of the -1 variant; to
> fix packaging bugs in windows, no PyGObject code was changed so we didnt
> think it necessary to make a new PyGObject release with a version bump.

Yes. And in the unlikely event where your SHA1 (and by definition our
md5) should no longer match for a certain file on ftp.gnome.org, you
likely hit a bad mirror. Something like that should then probably be
reported as a bug.

> I'm think Dieter misunderstood your question and offered an incorrect
> reply. See below.

Yes, I completely misunderstood the question. My apologies for the
confusion.

> As mentioned in the release notes, this installer only contains updated
> gtk+ runtime, and updated glade installers. PyG* remain unchanged so no
> installers were ever silently replaced on the GNOME servers.
> 
> So in conclusion, if the all-in-one installer requires newer component
> installer for any other PyG* packages, those component installers will
> be uploaded to the GNOME servers with a new filename, and the README and
> release notes of the all-in-one installer will make this clear.

Indeed, that's the general idea.

Regards,
Dieter