Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clean up packaging and build system #17

Merged
merged 3 commits into from
Oct 17, 2021
Merged

Clean up packaging and build system #17

merged 3 commits into from
Oct 17, 2021

Conversation

pabs3
Copy link
Contributor

@pabs3 pabs3 commented Aug 29, 2021

No description provided.

@taylordotfish
Copy link
Owner

Thanks for the changes. I'd prefer to keep the frozen requirements, though, at least somewhere in the tree. I consider it unfortunate that frozen dependencies/lockfiles aren't as common in Python as they are in Rust/Go/JS/etc.

I don't think keeping it should cause significant issues—someone has to be pretty deliberate in their decision to install the frozen dependencies; any other installation method will resolve the dependencies in the normal Python way. But maybe I'm missing something.

@pabs3
Drop the requirements specification
5bbbbf7 
It is identical to the install_requires so it is not needed.

See-also: https://packaging.python.org/discussions/install-requires-vs-requirements/
@pabs3
Migrate packaging metadata from setup.py to declarative setup.cfg
92c584c 
Leave stub setup.py for compatibility and for computed long description.

Spacing added to requirements for readability, but the sdist is identical
as the spaces are auto-stripped by setuptools when building the sdist.

See-also: https://packaging.python.org/guides/distributing-packages-using-setuptools/
@pabs3
Add Python PEP-518 pyproject.toml file
dc2cb91 
See-also: https://www.python.org/dev/peps/pep-0518/
@taylordotfish taylordotfish merged commit e58a113 into taylordotfish:master Oct 17, 2021
@pabs3
Copy link
Contributor Author

pabs3 commented Oct 17, 2021 via email

@taylordotfish
Copy link
Owner

The main benefit of frozen/locked dependencies is build reproducibility and predictability (since a new version of a dependency that should work the same may not), and the dependencies shouldn't generally need to be updated, but security issues always pop up, of course. The dependencies should be updated in that case; I just don't always have the time to check/fix that.

I think most or all of the programming languages I listed whose build systems have better support for this also make it easier to deal with security vulnerabilities in locked/frozen dependencies (e.g., by warning users who install the package or automatically bumping it up to the next secure version). Unfortunately, Python doesn't have great support for this.

@pabs3 pabs3 deleted the packaging branch November 11, 2021 07:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pabs3 @taylordotfish