From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7EF71158042 for ; Tue, 12 Nov 2024 19:24:06 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 57D79E0821; Tue, 12 Nov 2024 19:24:02 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 22B1DE077C for ; Tue, 12 Nov 2024 19:24:02 +0000 (UTC) From: Eli Schwartz To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] [PATCH v2 1/2] dev-python/setuptools: allow disabling validation of pypi.org allowed strings Date: Tue, 12 Nov 2024 14:23:31 -0500 Message-ID: <20241112192355.2225195-1-eschwartz@gentoo.org> X-Mailer: git-send-email 2.45.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: 4de3bc5b-ac32-4fc7-8f56-51a129908951 X-Archives-Hash: 84c8b7471a638f75b2b5962945ef6340 Trove classifiers, and their officialness, have no effect on a wheel other than determining whether they are allowed to be uploaded to a non-Gentoo website, and enabling the search index of that other site. We don't need this, and we don't need to validate it. Setuptools will disable validation if both of: - network downloads failed - cannot successfully import the `trove_classifiers` module occurs. If trove-classifiers is installed by coincidence, this breaks builds when it doesn't get updated on an extremely rapid basis and some random package in dev-python/* uses a classifier that was made official just the other day. We could solve this another way, by making dev-python/setuptools PDEPEND on trove-classifiers, and constantly bump the >= dependency. But this is a pointless hassle. In fact, we're actually doing it, and it's been a pointless hassle. We need to maintain up-to-the-minute minimum bounds on the very latest version, and bump setuptools to a new -rX just to update the minimum version of a package it doesn't even depend on. We need to package new versions of trove-classifiers before *other* Gentoo Devs outside of the python project, can successfully revbump their own packages. We need to coordinate stabilization of trove-classifiers in combination with those other packages. We force people to install a pointless package. We overuse PDEPEND. Instead, apply a *rejected* upstream patch to add an environment variable that skips this specific validation code block entirely. Upstream doesn't want to maintain code that contains branches, so we will maintain it locally. Since it is Gentoo-specific, the variable is also prefixed with GENTOO_ and is expected to be used solely inside of distribution packaging while not affecting manual usage of setuptools outside of portage. Bug: https://github.com/pypa/setuptools/issues/4459 Signed-off-by: Eli Schwartz --- v2: patch setuptools instead of adding a trove_classifiers.py shim ...ble-users-to-disable-validating-trov.patch | 65 +++++++++++++++++++ ...-r1.ebuild => setuptools-74.1.3-r2.ebuild} | 7 +- ...2.0.ebuild => setuptools-75.2.0-r1.ebuild} | 7 +- ...3.0.ebuild => setuptools-75.3.0-r1.ebuild} | 7 +- .../setuptools/setuptools-75.4.0.ebuild | 1 + 5 files changed, 69 insertions(+), 18 deletions(-) create mode 100644 dev-python/setuptools/files/0001-Allow-knowledgeable-users-to-disable-validating-trov.patch rename dev-python/setuptools/{setuptools-74.1.3-r1.ebuild => setuptools-74.1.3-r2.ebuild} (93%) rename dev-python/setuptools/{setuptools-75.2.0.ebuild => setuptools-75.2.0-r1.ebuild} (93%) rename dev-python/setuptools/{setuptools-75.3.0.ebuild => setuptools-75.3.0-r1.ebuild} (93%) diff --git a/dev-python/setuptools/files/0001-Allow-knowledgeable-users-to-disable-validating-trov.patch b/dev-python/setuptools/files/0001-Allow-knowledgeable-users-to-disable-validating-trov.patch new file mode 100644 index 000000000000..4ab6bbae7af4 --- /dev/null +++ b/dev-python/setuptools/files/0001-Allow-knowledgeable-users-to-disable-validating-trov.patch @@ -0,0 +1,65 @@ +From f694e474ab3c45af6241a3f2bf575f8188e9cbea Mon Sep 17 00:00:00 2001 +From: Eli Schwartz +Date: Mon, 11 Nov 2024 19:51:54 -0500 +Subject: [PATCH] Allow knowledgeable users to disable validating + trove-classifiers + +Classifiers are based on a "blessed list" of search terms that are +allowed on https://pypi.org and need to be regularly kept up to date in +order to validate them. + +Many people don't care about this. Arguably, *no one* cares about this, +since wheels that have search terms that PyPI doesn't consider popular +enough will simply fail uploading to PyPI. But also, not everyone wants +to download new lists of "allowed words" from the internet every time +they check to see if e.g. pyproject.toml contains a valid format that +won't traceback when someone tries to read the "name" field and gets an +integer instead of a string. Or their entrypoints are malformed because +they aren't a valid python object reference. + +This is also an issue because one might have an old version of the +classifiers cached, and then a new classifier is added to +https://pypi.org and you want to use it immediately, and the local +validator in the form of validate_pyproject fails but actually uploading +a wheel to https://pypi.org would work fine. + +Signed-off-by: Eli Schwartz +Signed-off-by: Eli Schwartz +--- + .../config/_validate_pyproject/formats.py | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/setuptools/config/_validate_pyproject/formats.py b/setuptools/config/_validate_pyproject/formats.py +index 153b1f0b2..50b8520e9 100644 +--- a/setuptools/config/_validate_pyproject/formats.py ++++ b/setuptools/config/_validate_pyproject/formats.py +@@ -205,15 +205,19 @@ class _TroveClassifier: + return value in self.downloaded or value.lower().startswith("private ::") + + +-try: +- from trove_classifiers import classifiers as _trove_classifiers +- ++if os.getenv("GENTOO_VALIDATE_PYPROJECT_NO_TROVE_CLASSIFIERS"): + def trove_classifier(value: str) -> bool: +- """See https://pypi.org/classifiers/""" +- return value in _trove_classifiers or value.lower().startswith("private ::") ++ return True ++else: ++ try: ++ from trove_classifiers import classifiers as _trove_classifiers + +-except ImportError: # pragma: no cover +- trove_classifier = _TroveClassifier() ++ def trove_classifier(value: str) -> bool: ++ """See https://pypi.org/classifiers/""" ++ return value in _trove_classifiers or value.lower().startswith("private ::") ++ ++ except ImportError: # pragma: no cover ++ trove_classifier = _TroveClassifier() + + + # ------------------------------------------------------------------------------------- +-- +2.45.2 + diff --git a/dev-python/setuptools/setuptools-74.1.3-r1.ebuild b/dev-python/setuptools/setuptools-74.1.3-r2.ebuild similarity index 93% rename from dev-python/setuptools/setuptools-74.1.3-r1.ebuild rename to dev-python/setuptools/setuptools-74.1.3-r2.ebuild index 9cc97e5921d2..62bcc9708b4a 100644 --- a/dev-python/setuptools/setuptools-74.1.3-r1.ebuild +++ b/dev-python/setuptools/setuptools-74.1.3-r2.ebuild @@ -64,20 +64,15 @@ BDEPEND=" " # setuptools-scm is here because installing plugins apparently breaks stuff at # runtime, so let's pull it early. See bug #663324. -# -# trove-classifiers are optionally used in validation, if they are -# installed. Since we really oughtn't block them, let's always enforce -# the newest version for the time being to avoid errors. -# https://github.com/pypa/setuptools/issues/4459 PDEPEND=" dev-python/setuptools-scm[${PYTHON_USEDEP}] - >=dev-python/trove-classifiers-2024.10.16[${PYTHON_USEDEP}] " src_prepare() { local PATCHES=( # TODO: remove this when we're 100% PEP517 mode "${FILESDIR}/setuptools-62.4.0-py-compile.patch" + "${FILESDIR}"/0001-Allow-knowledgeable-users-to-disable-validating-trov.patch ) distutils-r1_src_prepare diff --git a/dev-python/setuptools/setuptools-75.2.0.ebuild b/dev-python/setuptools/setuptools-75.2.0-r1.ebuild similarity index 93% rename from dev-python/setuptools/setuptools-75.2.0.ebuild rename to dev-python/setuptools/setuptools-75.2.0-r1.ebuild index c66232a1e7d2..4b06e8451606 100644 --- a/dev-python/setuptools/setuptools-75.2.0.ebuild +++ b/dev-python/setuptools/setuptools-75.2.0-r1.ebuild @@ -66,20 +66,15 @@ BDEPEND=" " # setuptools-scm is here because installing plugins apparently breaks stuff at # runtime, so let's pull it early. See bug #663324. -# -# trove-classifiers are optionally used in validation, if they are -# installed. Since we really oughtn't block them, let's always enforce -# the newest version for the time being to avoid errors. -# https://github.com/pypa/setuptools/issues/4459 PDEPEND=" dev-python/setuptools-scm[${PYTHON_USEDEP}] - >=dev-python/trove-classifiers-2024.10.16[${PYTHON_USEDEP}] " src_prepare() { local PATCHES=( # TODO: remove this when we're 100% PEP517 mode "${FILESDIR}/setuptools-62.4.0-py-compile.patch" + "${FILESDIR}"/0001-Allow-knowledgeable-users-to-disable-validating-trov.patch ) distutils-r1_src_prepare diff --git a/dev-python/setuptools/setuptools-75.3.0.ebuild b/dev-python/setuptools/setuptools-75.3.0-r1.ebuild similarity index 93% rename from dev-python/setuptools/setuptools-75.3.0.ebuild rename to dev-python/setuptools/setuptools-75.3.0-r1.ebuild index aa6b581cf0dd..4219ae3d4792 100644 --- a/dev-python/setuptools/setuptools-75.3.0.ebuild +++ b/dev-python/setuptools/setuptools-75.3.0-r1.ebuild @@ -66,20 +66,15 @@ BDEPEND=" " # setuptools-scm is here because installing plugins apparently breaks stuff at # runtime, so let's pull it early. See bug #663324. -# -# trove-classifiers are optionally used in validation, if they are -# installed. Since we really oughtn't block them, let's always enforce -# the newest version for the time being to avoid errors. -# https://github.com/pypa/setuptools/issues/4459 PDEPEND=" dev-python/setuptools-scm[${PYTHON_USEDEP}] - >=dev-python/trove-classifiers-2024.10.16[${PYTHON_USEDEP}] " src_prepare() { local PATCHES=( # TODO: remove this when we're 100% PEP517 mode "${FILESDIR}/setuptools-62.4.0-py-compile.patch" + "${FILESDIR}"/0001-Allow-knowledgeable-users-to-disable-validating-trov.patch ) distutils-r1_src_prepare diff --git a/dev-python/setuptools/setuptools-75.4.0.ebuild b/dev-python/setuptools/setuptools-75.4.0.ebuild index 8bd616a1e315..f4481af68e03 100644 --- a/dev-python/setuptools/setuptools-75.4.0.ebuild +++ b/dev-python/setuptools/setuptools-75.4.0.ebuild @@ -80,6 +80,7 @@ src_prepare() { local PATCHES=( # TODO: remove this when we're 100% PEP517 mode "${FILESDIR}/setuptools-62.4.0-py-compile.patch" + "${FILESDIR}"/0001-Allow-knowledgeable-users-to-disable-validating-trov.patch ) distutils-r1_src_prepare -- 2.45.2