[Catalog-sig] parsing setuptools style requires.txt
Alexis Métaireau
alexis at notmyidea.org
Mon Sep 12 14:01:43 CEST 2011
Hi Dylan,
On 09/12/2011 10:43 AM, Dylan Jay wrote:
> ts also been mentioned that in order to make this parsing work you need
> to run setup.py to get the requires.txt for setuptools packages and this
> is a security concern. However many packages already have the egg-info
> commend run before upload so there is no need to run setup.py. For those
> packages where there is a need I think security concerns could be
> overcome with the use of the restrictedpython package. Anything trying
> to import anything but the bare minimum is skipped.
One problem I can think about is the fact that it is not possible to get
platform independent information coming from a setup.py, in the sense
that setup.py is executed and can provide different metadata regarding
the platform the setup.py is executing onto. PEP 345 and environment
markers aims to resolve this problem.
Bu, what are you trying to do exacty? Do you want to get the list of
dependencies coming from setuptools? If yes, then the way we are doing
it for the setuptools compatibility layer in distutils2/packaging is the
following:
1. monkey-patch setuptools.setup with your own setup, storing the given
metadata somewhere
2. run the setup.py which will call this monkey patched setup function
This has been implemented here:
http://bazaar.launchpad.net/~anybox/+junk/anybox.recipe.openerp/view/head:/anybox/recipe/openerp/__init__.py#L53
I agree this is not as easy as it could be with uploading metadata to
pypi (as it will be with distutils2 and PEP 345) but having platform
specific dependent metadata information on PyPI is only half answering
the problem, so the solution is probably for now to do this on the
client side.
Hope this helps.
--
Alexis
More information about the Catalog-SIG
mailing list