[Catalog-sig] Dependencies

Jim Fulton jim at zope.com
Sun Jun 17 19:01:44 CEST 2012


On Sun, Jun 17, 2012 at 12:24 PM, Tres Seaver <tseaver at palladion.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/15/2012 11:01 PM, Richard Jones wrote:
>> "impossible to safely extract requirements in a 100% generic way."
>>
>> It has nothing to do with it being the de facto standard and
>> everything to do with executing untrusted code on pydotorg systems
>> with no guarantee that we'll even get the setup.py to work in our
>> environment anyway.
>>
>> Sent from my portable device, please excuse the brevity. On Jun 16,
>> 2012 2:41 AM, "Chris Withers" <chris at python.org> wrote:
>>
>>> On 13/06/2012 13:20, Donald Stufft wrote:
>>>
>>>> setuptools is a non standard addition to Python packaging which is
>>>> impossible to safely extract requirements in a 100% generic way.
>
> You can avoid executing 'setup.py' by looking for 'requires.txt' in the
> egg-info directory within the sdist.

Except that sdists don't have egg-info directories, presumably because egg-info
can depend on the environment the project is installed in.  For example, it's
not unheard of for dependencies to depend on the Python version
(e.g. json).

Jim


-- 
Jim Fulton
http://www.linkedin.com/in/jimfulton
Jerky is better than bacon! http://zo.pe/Kqm


More information about the Catalog-SIG mailing list