Untitled attachment

Notices where this attachment appears

1. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 29-Aug-2025 22:07:51 JST Haelwenn /элвэн/ :triskell:
   @ska @hipsterelectron And pip is a pretty bad package manager… at least as long as setup.py exists (still used in a *lot* of places)
   https://github.com/pypa/pip/issues/1884
2. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 02-May-2025 17:14:25 JST Haelwenn /элвэн/ :triskell:
   @alex True, people should verify the code instead, but virtually nobody does that, as proven by backdoors which got discovered after deployment like Jia Tan's on xz-utils.
   Or how some tools don't allow to verify first, like pip always runs setup.py: https://github.com/pypa/pip/issues/1884
   
   Typically because there is just too much code that one has to run on their machines, so we need to be able to delegate some trust (Be it via signatures on commits, tags or tarballs. Or to a distro).
   
   ---
   
   I doubt GoToSocial does JSON-LD Signatures as it's a royal pain to deal with (mostly due to having to canonicalize JSON) and most of the Fediverse doesn't uses them.
   
   It's more likely that GoToSocial's HTTP Signature verification is somewhat broken.
3. Embed this notice
   Cassandra Granade 🏳️‍⚧️ (xgranade@wandering.shop)'s status on Wednesday, 11-Dec-2024 07:42:35 JST Cassandra Granade 🏳️‍⚧️

   @SnoopJ @glyph To be sure, I'm glad setup.py is there as an escape hatch for things that declarative setups can't represent. There's still a lot of libraries out there that could absolutely be pyproject.tomls and... aren't.

4. Embed this notice
   Cassandra Granade 🏳️‍⚧️ (xgranade@wandering.shop)'s status on Wednesday, 11-Dec-2024 07:20:59 JST Cassandra Granade 🏳️‍⚧️

   in reply to

   The above thread can also be read as a plea for Python library authors to stop making setup.py files and get on board with pyproject.toml instead. That is a correct reading.

5. Embed this notice
   aslamK (4slam@gnusocial.net)'s status on Saturday, 30-Nov-2024 04:42:17 JST aslamK

   in reply to
   'gnu-social-export' depends on 'dotenv', which depends on 'distribute' (https://pypi.org/project/distribute/), which gives error when installing:
   ===
   Preparing metadata (pyproject.toml) did not run successfully.
   │ exit code: 1
   ╰─> [6 lines of output]
   usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
   or: setup.py --help [cmd1 cmd2 ...]
   or: setup.py --help-commands
   or: setup.py cmd --help
   
   error: invalid command 'dist_info'
   [end of output]
   ===
   Do you know a workaround/fix? I couldn't find the code for 'distribute'. (Python 3.13)
6. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 29-Oct-2024 11:03:38 JST Haelwenn /элвэн/ :triskell:

   in reply to
   @GNUxeava Best of python is how pip and PyPI is a complete disaster in terms of security.
   - Random binaries? Weee! Those can even be put into lockfiles, good luck vetting those.
   - setup.py means pip will execute code, even for just downloads