Refine and simplify Package models

[pombredanne]

Things that need to be corrected:

• the use of subclassing for Package does not make sense as implemented. We need instead some composition IMHO: the current way smells funny.
• And we need a plugin approach such that new package formats are implement as external libraries, eventually using different languages than Python to reuse the many parsers natively available (Ruby, Js, Java, etc). This would likely make the pure subclassing likely naturally vanish.
• schematics is likely not the right library for our use case: attrs or marshmallow need to be reviewed. The schematics-based code smells funny too

We need a few more types and change some types:

• Project: several packages are part of a larger project that defines many packages attributes
• Repo: a package name/version is typically unique only within the confine of a repo
• FQN: fully qualified name such as in repo:name:version (and possibly os/arch for many packages beyond deb and rpms) and defining some kind of global identification
• Grouping: several packages are often derived for different architecture/platforms (Java for Ruby, egg/wheels/sdist/bdist on Python, various os/arch on RPMs and debs, etc.) or different artifacts are available for a package (src/bin/doc/pom for Maven)
• Dependencies: while they live in some group, a flat sequence is likely better than a by-group tree. Also there is always a notion of potential deps vs resolved, locked deps. This needs to be more simply modelled.
• Downloads: we have a 1-to-1 between a download and a package (even though each download can be several urls, this is for the same exact file). This could be refined in one package -> many downloads where each download is for the same package version but packaged differently (arch/os/platform/source/binary/etc)

Some extra data fields needed too:

• documentation_url
• the web page if any for a package release, as is typical for many package repos
• beyond keywords, support for Trove-like classifiers (in sf.net or Pypi)
• download stats when provided?
• file size and filename
• release or upload date

Or should be retired:

• keywords_doc_url

[pombredanne]

From #241
So now that we have used schematics, I am not super happy with the way this works. In particular anything that would be stored in the DB in a near future would require having yet another schema being defined in yet another library. I made a few local tests storing things as raw JSON in a DB but that raise another problem of schema migrations.
I am considering using Django's ORM to define the models instead. I will try out some tests in a branch. The semantics are essentially the same as schematics or marshmallow (or the other way around) and there could be some side benefits to store an-flight scan in a temp sqlite DB. I will work out something.
Feedback welcomed

[pombredanne]

This is completed and merged in develop.

[jhgoebbert]

This commit adds in setup.py
'pefile == 1.2.10-132',
which makes it impossible to install on Linux with pip, as there is no version like this in PyPi:
https://pypi.org/project/pefile/#history

[pombredanne]

@jhgoebbert good point. That's never been a released version on Pypi!
Do you mind to create a separate ticket specifically for this issue?
thank you!

[pombredanne]

Thanks ... This is now tracked in #1183