Modernise and rationalise packaging #1161
Comments
|
We should add some CI steps to ensure our packaging metadata is sane, for example our current
|
|
A gotcha that we may care about with regards to setup.py/setup.cfg/pyproject.toml: I just tried to do Which would mean current requirements-dev.txt in tuf would fail to install in this case. |
Yep, it is a known limitation, it can be circumvented by: but needs to be kept in mind (link). |
Remove references to, and handling of, Python 2.7 in our project scaffolding: - updated python_requires in setup.py to state our intent to support Python 3.6 and above (but not Python 4, yet) - Drop no longer required dependencies in setup.py, and requirements-*.txt (further refinement of requirements files will be handled in theupdateframework#1161) - Remove Python 2.7 from our tox environments Signed-off-by: Joshua Lock <[email protected]>
|
I am sharing, after of a brief research on the topic, a list of the current issues with suggestions on how to move forward. 1. Lagging behind from the latest PyPA recommendations and PEPs (517, 518) The obvious proposal here is to just follow the PyPA guideline which recommends:
* keep in mind the two comments above related to an issue when installing in editable mode. This should make the project PEP 517, PEP 518 compliant which also gives the opportunity to easily migrate to another packaging tool if such need arrives in the future. Just listing some popular names here: flit, poetry, bento 2. File gathering: MANIFEST.in is too fine grained, misses needed files while adding irrelevant ones
3. Semi-manual
Adding some blogposts to Joshua's list of references: |
Remove references to, and handling of, Python 2.7 in our project scaffolding: - updated python_requires in setup.py to state our intent to support Python 3.6 and above (but not Python 4, yet) - Drop no longer required dependencies in setup.py, and requirements-*.txt (further refinement of requirements files will be handled in theupdateframework#1161) - Remove Python 2.7 from our tox environments Signed-off-by: Joshua Lock <[email protected]>
Remove references to, and handling of, Python 2.7 in our project scaffolding: - updated python_requires in setup.py to state our intent to support Python 3.6 and above (but not Python 4, yet) - Drop no longer required dependencies in setup.py, and requirements-*.txt (further refinement of requirements files will be handled in theupdateframework#1161) - Remove Python 2.7 from our tox environments Signed-off-by: Joshua Lock <[email protected]>
|
Thank you for doing the research Teodora!
It would be great to handle the things you listed in 1. and the setuptools_scm change suggested in 2 to address this issue. |
|
Thanks for the great summary, @sechkova! I second @joshuagl's comment, plus:
Any recommendations on tools?
Did you see how other projects do this? in-toto/in-toto#294 -- i.e. un-pinned direct deps for user installs vs. pinned + auto-updated direct and transitive deps for CI/CD -- felt like a good but very custom solution. I'd be curious if there are better or more common practices. Also in regards to pinning direct and transitive deps for different Python versions. Although the latter might really just not be relevant without Python 2.7. IIRC TUF has no dependency case-handling for different Python 3 versions. |
I am wary of recommending tools that I haven't used, especially with no experience in the packaging world. However, @joshuagl may be interested in On the second part of the problem, dependencies resolution, I couldn't find any different practices (than what we do) besides suggestions to totally switch to |
My understanding at this point is that |
Ah, interesting. flit might be a good stop-gap for achieving #1269. I'll mention it in that issue, thanks @sechkova ! |
Configure lint build in tox.ini to check if code in tuf/api/* is formatted according to black and isort style rules: https://black.readthedocs.io/en/stable/the_black_code_style.html https://pycqa.github.io/isort/ In addition to our new style guide (theupdateframework#1128) and corresponding linter configuration, requiring auto-formatting should help to further reduce reviewing effort. The auto-formatter black was chosen for the following reasons: - It seems to be the most popular formatter in the Python ecosystem - It is well documented including integration instructions with most of the tools we use (git, GitHub Actions, pylint, a range of editors, pyproject.toml theupdateframework#1161) - It checks that the reformatted code produces a valid AST that is equivalent to the original - It has almost no ways of customization, which means no customization effort required, and more (cross-project) style uniformity, lowering contribution barriers - It converts single to double quotes, where reasonable, which is exactly what we recommend - The style choices it makes seem generally reasonable and don't conflict with our style guide, except for favoring hanging over aligned indentation, which is the opposite of what we recommend. But we are willing to update the adapt our style guide. Auto-format pre-commit configuration will be added in a subsequent commit. Signed-off-by: Lukas Puehringer <[email protected]>
Those generated files are not explicitly under Apache-2.0 licence and AFAIK they can not be regenerated from missing (latex?) sources. To avoid licence mixup. It would help to have those files published elsewhere. Meanwhile online (Github) links are used. Debian had to repack the source package to make tarball compliant with DFSG dispite debian tools are known to be trustworthy, this extra step would add weakess in the chain of trust Cleanup done upstream would make distribution safer. Bug: theupdateframework#1161 Bug-Debian: https://salsa.debian.org/python-team/packages/tuf/-/merge_requests/11 Relate-to: theupdateframework#263 (comment) Signed-off-by: Philippe Coval <[email protected]>
Those generated files are not explicitly under Apache-2.0 licence and AFAIK they can not be regenerated from missing (latex?) sources. To avoid licence mixup. It would help to have those files published elsewhere. Meanwhile online (Github) links are used. Debian had to repack the source package to make tarball compliant with DFSG despite debian tools are known to be trustworthy, this extra step would add weakess in the chain of trust Cleanup done upstream would make distribution safer. Bug: theupdateframework#1161 Bug-Debian: https://salsa.debian.org/python-team/packages/tuf/-/merge_requests/11 Relate-to: theupdateframework#263 (comment) Forwarded: theupdateframework#1380 Signed-off-by: Philippe Coval <[email protected]>
Duplication is not needed since files are hosted in website project: https://github.com/theupdateframework/theupdateframework.io/tree/master/static/papers Those generated files are not explicitly under Apache-2.0 licence and AFAIK they can not be regenerated from missing (latex?) sources. To avoid licence mixup. It would help to have those files published elsewhere. Meanwhile online (Github) links are used. Debian had to repack the source package to make tarball compliant with DFSG despite debian tools are known to be trustworthy, this extra step would add weakess in the chain of trust Cleanup done upstream would make distribution safer. Bug: theupdateframework#1161 Bug-Debian: https://salsa.debian.org/python-team/packages/tuf/-/merge_requests/11 Relate-to: theupdateframework#263 (comment) Forwarded: theupdateframework#1380 Relate-to: theupdateframework/specification#160 Signed-off-by: Philippe Coval <[email protected]>
Duplication is not needed since files are hosted in website project: https://github.com/theupdateframework/theupdateframework.io/tree/master/static/papers Those generated files are not explicitly under Apache-2.0 licence and AFAIK they can not be regenerated from missing (latex?) sources. To avoid licence mixup. It would help to have those files published elsewhere. Meanwhile online (Github) links are used. Debian had to repack the source package to make tarball compliant with DFSG despite debian tools are known to be trustworthy, this extra step would add weakess in the chain of trust Cleanup done upstream would make distribution safer. Bug: #1161 Bug-Debian: https://salsa.debian.org/python-team/packages/tuf/-/merge_requests/11 Relate-to: #263 (comment) Forwarded: #1380 Relate-to: theupdateframework/specification#160 Signed-off-by: Philippe Coval <[email protected]>
|
PyPA are recommending |
|
Not only are PyPA recommending build, but direct invocations of setup.py are considered deprecated for a number of years!? 😱 https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.html |
Description of issue or feature request:
Python packaging has changed significantly since the tuf packaging was created. There's been a move to declarative files, the formalisation of build system independent source tree layout in PEP 517, and the addition of new metadata to specify the build system dependencies in PEP 518.
Furthermore our current packaging is somewhat ad-hoc, with some expected files like LICENSE missing from the sdist (see #1160) and some unexpected files like tuf/ATTACKS.md included.
For reference see:
https://packaging.python.org/
https://snarky.ca/what-the-heck-is-pyproject-toml/
Current behavior:
Packaging isn't up-to-date with PyPA recommendations and our sdist includes files which don't match conventions.
Expected behavior:
Packaging is in line with current PyPA best practices and generated distributions match ecosystem conventions.
The text was updated successfully, but these errors were encountered: