semantic icon indicating copy to clipboard operation
semantic copied to clipboard

Published 20 hours ago verified publisher icon github

Python pip setup.cfg

Open adamchainz opened this issue 5 years ago • 2 comments

I'm not sure this is exactly the right place to report, but it seems logical.

Python's packaging ecosystem has long used a setup.py file for package metadata. However, since 2016, it has been possible to place all the metadata instead in the setup.cfg file, avoiding the need for executable Python code. (docs).

Although metadata has been supported since 2016, it has seen slow adoption. For example, Django has moved to it recently in 3.1 (still in alpha): https://github.com/django/django/commit/85efc14a2edac532df1a9ad4dd9b6d4a4dcf583e .

It seems at the moment, semantic only attempts to parse metadata from setup.py files:

https://github.com/github/semantic/blob/46d82018b2ce5bba502d21d50baedc41776c7046/src/Semantic/Graph.hs#L331

This is where I'm not so sure if this is the origin for the actual observed issue. The problem I'm chasing is that GitHub security alerts don't propagate from source repos using setup.cfg for their metadata, only those using setup.py. I'm guessing this is because they're parsed with semantic.

As reported to me by @davidism, maintainer of some popular Python projects: https://github.com/django/asgiref/pull/161#discussion_r430060439

adamchainz avatar May 25 '20 21:05 adamchainz

We’re currently overhauling how Semantic.Graph works, so this code path will probably perish, but let’s keep this open to make sure we account for it during Python stack-graphing.

patrickt avatar May 25 '20 21:05 patrickt

To add a bit more information, I need to leave a minimal setup.py with name and install_requires in order for GitHub's dependency graph feature to work. You can see this in the various Pallets projects, such as Flask: https://github.com/pallets/flask/blob/330a3e3ddba712def955e7a2ccee92a205dfb656/setup.py

setup(
    name="Flask",
    install_requires=[
        "Werkzeug>=0.15",
        "Jinja2>=2.10.1",
        "itsdangerous>=0.24",
        "click>=5.1",
    ],
    extras_require={"dotenv": ["python-dotenv"]},
)

The equivalent sections in setup.cfg would be:

[metadata]
name = Flask

[options]
install_requires =
    Werkzeug>=0.15
    Jinja2>=2.10.1
    itsdangerous>=0.24
    click>=5.1

[options.extras_require]
dotenv =
    python-dotenv

The dependency graph doesn't understand extras_require and setup_requires right now, but I figured I might as well include it since extras layout is different.

davidism avatar May 25 '20 21:05 davidism