On Sat, Apr 23, 2016 at 12:20:56PM -0400, Nico Kadel-Garcia wrote: > I think you should use HTTPS, hot HTTP, which works much better in my > build environments. It does cause a complaint on out-of-date systems > with out-of-date SSL certificate authorities, but we're talking about > old systems like RHEL 5 with no security patches applied. I think you mis-understood the issue raised here Pypi used to provide URLs of the form: http://pypi.python.org/packages/source/r/raven/raven-%{version}.tar.gz While now the URLs look like: https://pypi.python.org/packages/3e/c9/fa64acb27f2878963ae5965a74461cd0195ebab2ba6aea2803c1f7ade8e8/raven-5.13.0.tar.gz ie they include a hash of the tarball in the url itself, which means that all the URLs in all the spec file pointing to the old scheme are now broken. The reason for this change was explained by Donald Stuff in the link to the issue on bitbucket present at the bottom of Sander's email. Pierre > On Sat, Apr 23, 2016 at 11:06 AM, Sander Hoentjen <sander@xxxxxxxxxxx> wrote: > > Hi, > > > > It seems that pypi changed the location of downloads [1] > > This is a bit inconvenient for us, since as far as I know we used to > > rely on the old url format in Fedora packages. > > For example, for python-raven I use: > > Source0: > > http://pypi.python.org/packages/source/r/raven/raven-%{version}.tar.gz > > > > An option would be to use pypi.debian.net, then the line would become: > > Source0: http://pypi.debian.net/raven/raven-%{version}.tar.gz > > > > Not sure if we would want to depend on pypi.debian,net, so we could > > create pypi.fedoraproject.org for this. Alternatively we could wait and > > see if the pypi project itself creates a service like this, as mentioned > > in the linked issue. > > > > What are your thoughts? > > > > [1] > > https://bitbucket.org/pypa/pypi/issues/438/backwards-compatible-un-hashed-package -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/packaging@xxxxxxxxxxxxxxxxxxxxxxx
