PyPI distribution / setuptools config unusual behaviors

[kislyuk]

Hello,

I am looking at using ETE code in a production environment. In the course of running pip3 install ete3, I see that the setuptools code for this package performs several alarming and potentially unsafe steps in the course of installation:

• It manipulates the Python global import path (sys.path)
• It attempts to import a number of dependencies (dependency checks could be more appropriately included as a post-install command)
• It attempts to write to a system directory outside its installation path, "$PREFIX/ete3/tools/ete_build.cfg" (this happens because data_files does not contain a path that starts with the ETE installation path; it can be avoided by using MANIFEST.in and package_data instead)
• It attempts to import its own package and opens a network connection to http://etetoolkit.org/static/et_phone_home.php

Please consider eliminating the above steps in the default setuptools configuration and PyPI distribution, as they interfere with package installation in some environments, and raise privacy and security concerns.

I can open a PR to help configure setup.py to avoid these behaviors, if that is helpful.

[jhcepas]

Thanks @kislyuk we are working on those fixes for the next release, specially regarding stats collection, which will be fully disabled.

any help with the rest would be most welcome. cheers, -jaime