Improve OpenSSF Scorecard

[jab]

Ref:

• https://deps.dev/pypi/bidict
• https://github.com/ossf/scorecard/blob/main/docs/checks.md

[jleclanche]

IMO dependency pinning is the only "real" item in this list.

I think it would be helped by switching to Poetry for dependency management. Do you want some help with this?

[jab]

Already pinning dependencies to exact versions, just not yet using hashes. There should be no need to switch to poetry for that though, as pip and pip-compile-multi support that already. Just tried in 3c385d5 but hit Python version-specific inconsistencies that cause installation to fail for some Python versions when the requirements were generated via pip-compile-multi running from a different Python version (see e.g. https://github.com/jab/bidict/actions/runs/3560472842/jobs/5980516165#step:7:131). Have to put this aside for now. Should have time to pick it back up next weekend. Feel free to take a look in the meantime if you're interested, and thanks for offering!

[jleclanche]

Yeah, I've had a horrendous experience with pip-compile-multi, and this is a good example why…
IMO Poetry just does things "right". Dependency management in pyproject.toml, follows pep 518/621, lockfile is separate.

[jleclanche]

@jab If you want, here's a pyproject.toml file with poetry set up. The only thing I couldn't quickly check is how your includes and excludes would look; poetry does a lot of things out of the box so you don't need to mess about with manifest files.

[tool.poetry]
name = "bidict"
version = "0.22.1.dev0"
description = "The bidirectional mapping library for Python."
license = "MPL 2.0"
authors = [
    "Joshua Bronson <jabronson@gmail.com>",
]
readme = "README.rst"
homepage = "https://bidict.readthedocs.io"
repository = "https://github.com/jab/bidict"
documentation = "https://bidict.readthedocs.io"
classifiers = [
    "Development Status :: 4 - Beta",
    "Intended Audience :: Developers",
    "Topic :: Office/Business :: Financial",
    "Programming Language :: Python :: Implementation :: CPython",
    "Programming Language :: Python :: Implementation :: PyPy",
    "Topic :: Software Development :: Libraries :: Python Modules",
    "Typing :: Typed",
]
keywords = [
    "dict", "dictionary", "mapping", "datastructure", "bimap", "bijection",
    "bijective", "injective", "inverse", "reverse", "bidirectional", "two-way",
    "2-way"
]
packages = [
    { include = "bidict" }
]
include = [
    "LICENSE",
    # Note: No idea without further testing what else should go there
]
exclude = [
    # ...
]

[tool.poetry.urls]
"Donate" = "https://github.com/sponsors/jab"
"Enterprise Support" = "https://bidict.readthedocs.io/#enterprise-support"
"Changelog" = "https://bidict.readthedocs.io/changelog.html"
"Issue Tracker" = "https://github.com/jab/bidict/issues"
"Chat" = "https://gitter.im/jab/bidict"


[tool.poetry.dependencies]
python = "^3.7.2"

[tool.poetry.group.dev]
optional = true
[tool.poetry.group.dev.dependencies]
check-manifest = "^0.48"
pre-commit = "^2.20.0"
tox = "^3.27.1"

[tool.poetry.group.docs]
optional = true
[tool.poetry.group.docs.dependencies]
furo = "^2022.9.29"
sphinx = "^5.3.0"
sphinx-copybutton = "^0.5.1"

[tool.poetry.group.lint]
optional = true
[tool.poetry.group.lint.dependencies]
pre-commit = "^2.20.0"
pylint = "^2.15.6"
pytest = "^7.2.0"
hypothesis = "^6.58.1"

[tool.poetry.group.tests]
optional = true
[tool.poetry.group.tests.dependencies]
hypothesis = "^6.58.1"
coverage = "^6.5.0"
py = "^1.11.0"
pytest = "^7.2.0"
pytest-benchmark = {extras = ["histogram"], version = "^4.0.0"}
pytest-cov = "^4.0.0"
pytest-icdiff = "^0.6"
sortedcollections = "^2.1.0"
sortedcontainers = "^2.4.0"

[build-system]
requires = ["poetry_core>=1.1.0"]
build-backend = "poetry.core.masonry.api"

[jab]

Thanks very much, @jleclanche. I'd be more inclined to migrate to Poetry if it supported PEP 621, but it doesn't currently. Dealing with pip-compile'd requirements.txt files hasn't been that big a bother (though certainly the limitation encountered here is unfortunate). Since all these dependencies are development-time only (and are not passed along transitively to users), the security implications of not pinning to hashes are minimal, and I think it's a bug in the scoring algorithm that this is being treated as though it were affecting users. I'm inclined to start using hashes (potentially via poetry) once the current situation in the Python ecosystem improves.

Would be happy to hear your thoughts on this, along with any other context you can share about how you're using bidict, how well it's working for you, and anything else you'd like to see changed in the future. I don't hear from users often, so any time I do I try to learn as much as I can.

Thanks again for your input here, and look forward to making progress on this in the future.

[jab]

After tightening permissions for GitHub Actions workflows, configuring GitHub Actions Version Updater to use "release-commit-sha", and merging the resulting PR, the aggregate score is now up to 7.5. It should increase further if/when ossf/scorecard#2518 is fixed. Closing this as good enough for now.