[Catalog-sig] Dependencies

Jim Fulton jim at zope.com
Sun Jun 17 19:01:44 CEST 2012

On Sun, Jun 17, 2012 at 12:24 PM, Tres Seaver <tseaver at palladion.com> wrote:
> Hash: SHA1
> On 06/15/2012 11:01 PM, Richard Jones wrote:
>> "impossible to safely extract requirements in a 100% generic way."
>> It has nothing to do with it being the de facto standard and
>> everything to do with executing untrusted code on pydotorg systems
>> with no guarantee that we'll even get the setup.py to work in our
>> environment anyway.
>> Sent from my portable device, please excuse the brevity. On Jun 16,
>> 2012 2:41 AM, "Chris Withers" <chris at python.org> wrote:
>>> On 13/06/2012 13:20, Donald Stufft wrote:
>>>> setuptools is a non standard addition to Python packaging which is
>>>> impossible to safely extract requirements in a 100% generic way.
> You can avoid executing 'setup.py' by looking for 'requires.txt' in the
> egg-info directory within the sdist.

Except that sdists don't have egg-info directories, presumably because egg-info
can depend on the environment the project is installed in.  For example, it's
not unheard of for dependencies to depend on the Python version
(e.g. json).


Jim Fulton
Jerky is better than bacon! http://zo.pe/Kqm

More information about the Catalog-SIG mailing list