New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't fetch trove-classifiers from the web #31
Comments
Hi @FRidh, thank you very much for reporting this. Adding an option seems very reasonable, but I have to engineer a way of passing them through the chain. Currently there is a way of achieving that, but it involves setting a environment variable: |
Best ask other redistributors what their point of view is on this matter. Let's start with arch, cc @FFY00 |
Yup, the |
Hi @FRidh, I am not sure if I understood this correctly. I am planning to disable the Isn't it a good thing that packages are having their classifiers validated by default during the build? I would say that is a feature...
When running the tests people can opt out of this particular behaviour by setting the environment variable, or have a more consistent one by installing a pinned version of the |
Absolutely! However, fetching something from the web is not the way, since as I mentioned, it can affect reproducibility. When a classifier is in the future deprecated, it will fail the validation and thereby the build, right? I'm going to drop this here. https://reproducible-builds.org/. |
Thank you very much @FRidh. I feel like if the users are interested in reproducibility, it would be fair to expect them to pin However I understand that this is not something you cannot teach easily and it is very easy to get wrong, so is just easier to sacrifice the classifier validation for the sake of pragmatism. Unfortunately 😢 |
Thanks for your understanding!
They would have to know about that then. You could ask this for this package, but what about every other package out there? The issue really is that there can be a near infinite amount of ways impurities are introduced. So in this case, while providing an environment variable is a good idea, it becomes something those that bother with reproducibility will need to be aware of. Knowing these aspects of every package (and it's vendored dependencies!) is not doable. Many fixes have been in the past years by a lot of people to achieve reproducible builds that it would be a pity to take a step back, even for something as relatively small as this. |
It is a pity to loose the functionality but I understand. I will work on that. |
This helps to improve reproducibility. See #abravalheri/validate-pyproject#31.
In order for builds to be reproducible, it means everything that is being checked and build will be checked and build consistently when repeated. When downloading the trove-classifiers from the web, it is (theoretically) possible that a validation pass one time and fail another. This should be avoided.
Furthermore, downstreams such as distributors do a lot of effort to avoid unwanted network lookups. We should not be adding more.
Note that if there is a setuptools option to disable this, this could make distributors happy!
By the way, I put it here instead of setuptools as the code path is in here if I am correct.
The text was updated successfully, but these errors were encountered: