Untitled attachment

Notices where this attachment appears

1. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 02-May-2025 17:14:25 JST Haelwenn /элвэн/ :triskell:
   @alex True, people should verify the code instead, but virtually nobody does that, as proven by backdoors which got discovered after deployment like Jia Tan's on xz-utils.
   Or how some tools don't allow to verify first, like pip always runs setup.py: https://github.com/pypa/pip/issues/1884
   
   Typically because there is just too much code that one has to run on their machines, so we need to be able to delegate some trust (Be it via signatures on commits, tags or tarballs. Or to a distro).
   
   ---
   
   I doubt GoToSocial does JSON-LD Signatures as it's a royal pain to deal with (mostly due to having to canonicalize JSON) and most of the Fediverse doesn't uses them.
   
   It's more likely that GoToSocial's HTTP Signature verification is somewhat broken.
2. Embed this notice
   Cassandra Granade 🏳️‍⚧️ (xgranade@wandering.shop)'s status on Wednesday, 11-Dec-2024 07:42:35 JST Cassandra Granade 🏳️‍⚧️

   @SnoopJ @glyph To be sure, I'm glad setup.py is there as an escape hatch for things that declarative setups can't represent. There's still a lot of libraries out there that could absolutely be pyproject.tomls and... aren't.

3. Embed this notice
   Cassandra Granade 🏳️‍⚧️ (xgranade@wandering.shop)'s status on Wednesday, 11-Dec-2024 07:20:59 JST Cassandra Granade 🏳️‍⚧️

   in reply to

   The above thread can also be read as a plea for Python library authors to stop making setup.py files and get on board with pyproject.toml instead. That is a correct reading.

4. Embed this notice
   aslamK (4slam@gnusocial.net)'s status on Saturday, 30-Nov-2024 04:42:17 JST aslamK

   in reply to
   'gnu-social-export' depends on 'dotenv', which depends on 'distribute' (https://pypi.org/project/distribute/), which gives error when installing:
   ===
   Preparing metadata (pyproject.toml) did not run successfully.
   │ exit code: 1
   ╰─> [6 lines of output]
   usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
   or: setup.py --help [cmd1 cmd2 ...]
   or: setup.py --help-commands
   or: setup.py cmd --help
   
   error: invalid command 'dist_info'
   [end of output]
   ===
   Do you know a workaround/fix? I couldn't find the code for 'distribute'. (Python 3.13)
5. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 29-Oct-2024 11:03:38 JST Haelwenn /элвэн/ :triskell:

   in reply to
   @GNUxeava Best of python is how pip and PyPI is a complete disaster in terms of security.
   - Random binaries? Weee! Those can even be put into lockfiles, good luck vetting those.
   - setup.py means pip will execute code, even for just downloads
6. Embed this notice
   karna :flipflop: :buffsuki: (karna@poa.st)'s status on Sunday, 25-Aug-2024 00:05:19 JST karna :flipflop: :buffsuki:

   in reply to
   @kirby @burner @mikuphile You can do a lot with the standard library (since it's "batteries-included") but CPython is just slow as aids by design. And virtual envs and packages are such a mess because of the lack of proper version number specifications as burner mentioned, but also because for a long time, there was no standard way for making a package for python. there was setup.py files, then setup.cfg files, pyproject.toml files to declare package metadata. And various tools to actually do the packaging from setuptools, poetry, hatch, meson, etc. Also because a lot of popular packages rely on C extensions for speed, the packaging process can get sextra complicated. Pip also doesnt do the best version number resolution for installing packages so other tools like conda popped for managing dependencies but that is bloated in its own way and another rabbit hole...
   
   compare this to something like R, where they made sure there was a coherent standard for packaging pretty early on (not that I like R much, but its a comparable language for certain use cases).
   
   
   
   Also for requests see stackoverflow.com/questions/62599036/python-requests-is-slow-and-takes-very-long-to-complete-http-or-https-request.