[Catalog-sig] parsing setuptools style requires.txt

Alexis Métaireau alexis at notmyidea.org
Mon Sep 12 14:01:43 CEST 2011

Hi Dylan,

On 09/12/2011 10:43 AM, Dylan Jay wrote:
> ts also been mentioned that in order to make this parsing work you need
> to run setup.py to get the requires.txt for setuptools packages and this
> is a security concern. However many packages already have the egg-info
> commend run before upload so there is no need to run setup.py. For those
> packages where there is a need I think security concerns could be
> overcome with the use of the restrictedpython package. Anything trying
> to import anything but the bare minimum is skipped.

One problem I can think about is the fact that it is not possible to get 
platform independent information coming from a setup.py, in the sense 
that setup.py is executed and can provide different metadata regarding 
the platform the setup.py is executing onto. PEP 345 and environment 
markers aims to resolve this problem.

Bu, what are you trying to do exacty? Do you want to get the list of 
dependencies coming from setuptools? If yes, then the way we are doing 
it for the setuptools compatibility layer in distutils2/packaging is the 

1. monkey-patch setuptools.setup with your own setup, storing the given 
metadata somewhere
2. run the setup.py which will call this monkey patched setup function

This has been implemented here: 

I agree this is not as easy as it could be with uploading metadata to 
pypi (as it will be with distutils2 and PEP 345) but having platform 
specific dependent metadata information on PyPI is only half answering 
the problem, so the solution is probably for now to do this on the 
client side.

Hope this helps.

More information about the Catalog-SIG mailing list