#general

I'm talking about the things you mentioned above

it's a whole package deal

PEP 735 should address the dev dependencies case

oh, yes, please

Does PyPA (or the PSF since I suspect someone may know the answer for that as well) publish its list of banned github users publicly perchance?

I don't think so. at least for https://github.com/python repos, I normally report directly to GitHub to begin with, they will often suspend the account directly

and that helps other orgs too, the spammers often target multiple orgs

I tend to do that as well, but that works only for spam obviously -- the reason for asking is a certain notorious user who files ostensibly spam bug reports who I banned, and who then created what I suspected was a ban evasion account but never bothered to research -- and then now a few minutes ago I happened across a comment on a repository that indicated y'all agreed and had banned the other account.

(And obviously I'd love to not have to waste any brainpower whatsoever on these sorts of things)

Hatch v1.8.0 is now available! https://discuss.python.org/t/announcement-hatch-v1-8-0/40865

Discussion also here: https://news.ycombinator.com/item?id=38601421

I have a Dr. appointment tomorrow so I'll be offline but Wednesday I'll announce #pyapp finally

The PSF does not

@blazing lantern as a CPython core developer, what do you think about this? I've never heard of it until recently https://github.com/indygreg/python-build-standalone/issues/200

I don't trust any perf claims w/o benchmarks on the exact version you're running since the Faster CPython team changes so much each release.

I don't think it actually applies to how those are built either. The reason why this speedup exists has to do with LD_PRELOAD, but the standalone builds don't dynamically link IIRC

they do dynamically link as far as I'm aware, with an option for Windows to be statically linked (which kinda doesn't work amazingly so I don't use that)

yeah I was just wondering, figured if it came from Red Hat the benchmark must be legitimate for them to change packaging

Considering I use that to get tiny python images that are based on distroless, and don't pull in shared libraries... https://github.com/mikeshardmind/minimal-container-images/blob/main/python/Dockerfile

That said, even if they aren't, because of the nature of how the builds are done, it would be relatively simple to rebuild an existing version with just that change and compare.

oh, I did change that to use base

oh, but not because of python, it's even in the comment there about pip installed things might not behave properly if they assume something present

final update on that, it looks like those builds already have that https://github.com/indygreg/python-build-standalone/issues/200#issuecomment-1851200521

@high stone wow I just read your email about us being upgraded to enterprise courtesy of GitHub! thank you for that and to William for starting that discussion with them

finally making #pyapp public https://discuss.python.org/t/announcement-pyapp/41030

Reminder: https://blog.pypi.org/posts/2023-12-13-2fa-enforcement/

👋 I'm looking at build front/backends for building trivial (like.. one source file) projects for testing package resolution. I've been using hatch/hatchling and am in search of faster solution as building the sdists/wheel is the slowest part of my pipeline. I tried switching to pypa/build/hatchling but that's ~5x slower. Does anyone have any quick recommendations or ideas about which build tools are the fastest?

I just tried hatch/setuptools and ended up with >10x slower 🙂

Have you tried setuptools without hatch?
Maybe flit?

can you please explain what your setup is like? which part is slow exactly? build/hatchling should be the fastest possible

I'm generating "projects" from a definition in a JSON file e.g.

❯ tree build/example-4a6eaaab
build/example-4a6eaaab
├── example-4a6eaaab-0.0.0
│   ├── pyproject.toml
│   └── src
│       └── example_4a6eaaab
│           └── __init__.py
├── example-4a6eaaab-a-1.0.0
│   ├── pyproject.toml
│   └── src
│       └── example_4a6eaaab_a
│           └── __init__.py
└── example-4a6eaaab-b-1.0.0
    ├── pyproject.toml
    └── src
        └── example_4a6eaaab_b
            └── __init__.py

Then, I'm iterating over them and calling hatch build

It's not slow, but it's orders of magnitude slower than anything else I'm doing

is the second time the fastest out of all?

try to run it a second time

hatchling is THE fastest?

INFO:root:Building 'example-4a6eaaab' in directory 'build/example-4a6eaaab'
INFO:packse.build:Generated project for 'example-4a6eaaab-a-1.0.0' in 1.08ms
INFO:packse.build:Built package 'example-4a6eaaab-a-1.0.0' in 0.38s
INFO:packse.build:Generated project for 'example-4a6eaaab-b-1.0.0' in 0.81ms
INFO:packse.build:Built package 'example-4a6eaaab-b-1.0.0' in 0.39s
INFO:packse.build:Generated project for 'example-4a6eaaab-0.0.0' in 0.88ms
INFO:packse.build:Built package 'example-4a6eaaab-0.0.0' in 0.30s
INFO:packse.build:Built scenario 'example-4a6eaaab' in 1.08s
example-4a6eaaab```
Seems roughly constant

can you show the configuration?

Definitely not setuptools, it’s by far the slowest build backend (last time I checked. They might have improved that somewhat since then)

It was the slowest I tried too 😄

@blazing lantern do you happen to know what this might mean? https://github.com/pypa/hatch/discussions/1149

https://peps.python.org/pep-0514/#installpath

I don't know if their message means they are missing the key or there's nothing at the path location

interesting, thank you!

did anyone ever seen or heard about any effort/works to standardize a use of dependencies from external sources (other than PyPI) in a "better" way than --index-url/--extra-index-url that pip offers?

(whats wrong with that way?)

it's mostly that with many package managers available, each has it's own way of dealing with packages from different sources. this is especially an issue with pytorch libraries since they come from outside of PyPI. would be nice to have it standardized (like PEP 621 standardized project metadata)

nothing has changed, and I think a lock file is a prerequisite for that

I can't think of any differing behavior here which would benefit from additional language. There's conda, but conda isn't directly fetching requirements in a compatible manner to pip to begin with, the goals are different there

Do you have an example of something that differs you don't think should?

I meant more in the ways of better UX. shifting responsibility of providing the extra source from user to packagers/authors that require that source

They already can be, packages that do that just can't be uploaded to pypi. That's intentional, and there are related security concerns

any pep 508 dependency specification (Which can include a source to get it from) should be handled fine by tools, whether indexes allow them is seperate

I think they are referring to something like Cargo package overrides where, if for example you require a custom internal patch, you could have the source for package A point to a Git repo rather than a specific version as originally defined

which I haven't put too much thought into however I plan to tackle that next year as part of lock file stuff

Yeah, and tools handle those fine pypi is what doesn't allow those.

numpy @ mynumpyfork.url/version.zip

is valid.

(git links require git+repo_url but work too)

no I think you are missing the point. the incoming spec is numpy==x.y.z and during resolution you want to override that explicitly

I'm not, pep508 specifications explicitly allow this.

yes I totally agree with you but the issue is the UX of how to override that

pip has no solution for this

I can use that in a requirements file or pyproject.toml today with pip

I think PDM has an option

I cant upload a package to pypi that does that.

it's not the package management preventing that

sorry we are still talking past each other 😅 let me give a more concrete example

you have a giant list of requirements called requirements.in and you install it like this pip install -r requirements.in. on Windows specifically there is a transitive dependency that simply does not work as defined but you have a fix prepared in an internal repository. you want to somehow override that definition on Windows before your lock file is produced

@inland prawn also feel free to chime in if I am misinterpreting what you're asking for

I thought that works currently with pip and specifying that? 🤔 if it doesn't, then I think at work I need to review Why something is working as expected tommorow when I'm on the clock.

it works if you manually change the input file to point to your patch or any other overrides, sure

but that is not really an override, that is simply changing your inputs

I don't think specifying you depend on a specific patched version is the wrong way to do this 😐

honestly I got lost a bit lol

so maybe im missing a piece of the puzzle still

I also dont think publicly distributed packages should rely on patched versions that could conflict with the same namespace, and should contribute upstream neccessary fixes

at work we definitely have to. we support customers who run on CentOS 6 and we do not want literally everyone to use old versions of stuff like cryptography so we have patches to do that just on old platforms

right, but there you're the app, not a library, so patching is in your purview, you know the full environment and that doing so isn't an issue.

pip does not let you override dependency specifications, it requires them all to match, if the numpy spec in the dependencies does not overlap with the numpy spec in your requirements file or passed on the CLI or what not it will detect it is not resolvable and error out

you can fake it by making a lock file and using --no-deps

ok, the point I was going for was that sources information and their priority in package discovery is not written to metadata (at least from what I remember). since package repositories are now standardized, we could make an effort to standardize the way we define sources in pyproject.toml and how those should be treated during installation.

do you mean from the package author or from the package consumer

we intentionally have no packaging channel for some reason so I will post here: is there any way that we can reduce the import cost?

example: https://github.com/pypa/packaging/blob/main/src/packaging/version.py

it doesn't look like much is going on there

It's probably from compiling the regex I'd imagine

I thought the same but the impact is negligible

I can reduce the imports by 4 ms if I set those custom type definitions on top to None

oh typing takes 3.2 ms

oh my goodness tags is the one of the main culprits since everything except for version seems to require that import https://github.com/pypa/packaging/blob/main/src/packaging/tags.py

Is it any better with the latest 3.13 alpha?

Obviously doesn't help you now, but curious if stuff like https://github.com/python/cpython/pull/109651 helps

so it's intentional?

I created one a while back but it got deleted promptly because someone felt like it wasn't useful or something, I can't remember

I think tags precomputes a big list of tags

better but still a regression compared to 3.11

first refactor, then PRs to reduce import costs are coming https://github.com/pypa/packaging/pull/754

next PR will cut the time down by 50% https://github.com/pypa/packaging/pull/754#issuecomment-1871698628

what's the sleep 2 in there for?

in testing it made the time go down slightly, I'm guessing the container file system needed time to write the byte code

curious

cpython has built-in routines for measuring import times.

(the header of the table)

of course a full table will write out all modules and their times

three times faster on my end with some fancy optimizations.

yeah I use it frequently but for standard library imports I like to just run the import multiple times to get an average

Check out hyperfine to do those multiple runs for you

yes that tool is how I track responsiveness in CI for Hatch but for a one-liner invocation of Docker it's easier to do a for loop in Bash

packaging.tags specifically does not pre-compute tags to avoid unnecessary overhead (it's why the API is aii iterators backed by generators)

is any maintainer able to review this soon? https://github.com/pypa/packaging/pull/754

No idea. I'm still digging myself out from under vacation backlog. I'm also going on paternity leave in mid-March, so I'm starting to prioritize stuff where I'm the sole blocker (which I'm not for packaging)

I am no maintainer, but can take a closer look if that helps

did we get raided by the equivalent of an angry farmer with a pitchfork? :)

With that description, I’m sad that I missed it. Like, an anti-packaging luddite?

It was just a spammer.

we don't keep logs so I have no idea

I just saw an admin ping and a whole lot of unread channels :P

Just a spammer

how did it go away? I saw the ping but I don't know how that translates to all of those messages going away at the same time

IIRC discord has a purge ban feature

I did a ban and told it to delete the last 7d of messages from that user

Good to know I wasn't the only one confused by a bunch of empty "unread channels" 😅

hi

There's a Python package I'd like to develop. This package will need the following steps at build time:

• Clone a Git repo that holds native code I'll need
• Compile this native code for the big three desktop platforms (Windows, macOS, Linux), though with room to expand if necessary
• Generate ctypes bindings from this repo's headers

I know the language well but haven't written a polished Python package before. Any recommendations for build tools I should use? Or maybe it would be more helpful if I described my project in detail?

Setuptools sound like a good choice. Kinda default when it comes to compiling and distributing native code based packages

Okay. How does setuptools do that, broadly speaking? Am I expected to call os.execute a lot? Or are there Pythonesqe wrappers for common C/C++ build systems? The library I want to build is written in C, and I intend to write a CMakeLists.txt for it. I don't want to write any extra C code if I can avoid it

Also, fetching the library. To keep the build process simple, I'd like to fetch the library itself (and any dependencies) via git as part of the build process.

Should I do that in Python, or can I use CMake's FetchContent module for that?

...eh, I'll use FetchContent. Probably easier, now that I think about it. One less thing for Python to manage.

That leaves generating the ctypes bindings, then. Got any suggestions? I know of ctypesgen, CFFI, and SWIG. But I can't decide between them.

what library do you want to make a binding for to begin with?

libretro-common, which is used by libretro cores (emulators) and frontends (things that play the emulators). https://github.com/libretro/libretro-common

Frontends are expected to expose their implementations of certain APIs (like filesystem access, performance counters, etc.) through function pointers that cores can ask for at runtime. However, libretro-common includes reasonable defaults.

I want to write a libretro frontend in Python for the use case of running tests on cores.

It's one thing to parse the headers to get ctypes definitions for the structs and other types I need. But if I can hand off these functions (where applicable) to the core from a compiled library, mimicking RetroArch's behavior will be much simpler.

Hey all, I'm looking for people who might be interested organizing the packaging summit at PyCon US 2024. Is anyone already on it?

Honestly I'd recommend looking at using mesonpy or scikit-build-core as your build backend. The former integrates with meson and the latter integrates with CMake to handle the native code while packaging the right bits into a Python distribution

Thanks for the suggestion, I'll take a look.

I would echo the previous recommendation, please definitely try scikit-build-core first

You got it.

@toxic cypress as to fetching the upstream native code of libretro, I think a better idea would be to submodule it into your own project, rather than fetching it on build time

How come? I fetch it (and many other dependencies) in another project without any issue.

do you pin to specific commits what you fetch, or did it jsut not break so far

Yes, I do. I just make it easy to update to a later commit (change a line in CMakeLists.txt). An added benefit; you can change the commit locally for dev/testing purposes by defining a variable.

I'd say that build should be always possible offline when you have an sdist of the project and build dependencies. That's what I have always seen in any major packaging system. it also makes your build fault-tolerant in case upstream commits/repos are removed

FetchContent lets you specify a local copy of a dependency instead of fetching it. And switching to a fork that I control is trivial.

is anyone here today proficient in compiling on Windows? I'm blocked currently on installing pymqi on Python 2 (don't ask lol)

  cl : Command line warning D9002 : ignoring unknown option '/std:c11'
  pymqe.c
  code/pymqi/pymqe.c(1053) : error C2275: 'Py_ssize_t' : illegal use of this type as an expression
          c:\py2\include\pyport.h(183) : see declaration of 'Py_ssize_t'
  code/pymqi/pymqe.c(1053) : error C2146: syntax error : missing ';' before identifier 'property_value_free'
  code/pymqi/pymqe.c(1053) : error C2065: 'property_value_free' : undeclared identifier
  code/pymqi/pymqe.c(1059) : error C2065: 'property_value_free' : undeclared identifier

i'm reading https://docs.python.org/3/installing/index.html#installing-index, does anybody know why all links to https://packaging.python.org/ in the "See also" sections are broken?

seems like some redirects should be made (https://docs.readthedocs.io/en/stable/user-defined-redirects.html)

seems to be planned (https://github.com/pypa/packaging.python.org/issues/1408, but waiting on the rtd ifx, that maybe is already fixed? https://github.com/readthedocs/readthedocs.org/issues/10963

so weird https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-release-notes#Kernel

New in macOS Big Sur 11.0.1, the system ships with a built-in dynamic linker cache of all system-provided libraries. As part of this change, copies of dynamic libraries are no longer present on the filesystem. Code that attempts to check for dynamic library presence by looking for a file at a path or enumerating a directory will fail. Instead, check for library presence by attempting to dlopen() the path, which will correctly check for the library in the cache. (62986286)

is there any list/matrix of tags needed to cover all possible platforms and architectures out there?

probably not, there's a (minor) problem with assuming that can be exhaustive as platform is tied to {sysconfig, distutils} get_platform(), which is allowed to vary by interpreter. If you only care about Cpython, I think that reduces it to something that could be exhaustive on platform, you'd then need to find an exhaustive supported architecture list, and that seems daunting since in theory, all you need is a c compiler and a bunch of deps that also only need a c compiler and some c libraries for cpython to exist on the architecture.

You could probably get a pretty pragmatic list by getting every option possible for platform on cpython, and every architecture for which there is a wheel already published on a well known index though.

You can look at the list of tags supported by pypi, which is the closest to "supported platform" there is, otherwise the list afaik unbounded, people are compiling cpython for all sorts of platforms

I think this is the living document showing the different support tiers https://peps.python.org/pep-0011/

found some prior discussion on this. https://discuss.python.org/t/wheel-platform-tag-for-windows/9025/7 The list there of support tiers is probably a pretty pragmatic option though in spite of the commentary here about things not supported still being possible.

is such list somewhere in docs or do I have to dig into the codebase for that?

Stuff like this comment in thread:

If you do your own build for other platforms, you could get a different tag. This includes the two (current) ARM variants of Windows, as well as occasional (unsupported) variants targeting UWP or WinRT.

seems to kill any idea that it's going to be exhaustive even on platform though unless you limit platform to things listed in the pep linked above.

I wouldn't know of any explicit docs list

actually, why do you want a list? if you build for Windows and macOS and use the manylinux spec, wouldn't that cover literally everything?

(the manylinux spec in combination with the list of supported architectures I linked)

I plan on writing a package joining Rust and Python and wanted to avoid "you didn't cover my platform" issues by providing all possible wheels

🤔 you should be able to just look at the platform+architecture support the rust compiler has and use that, that will be more limited than the possible places you could build cpython

The https://github.com/PyO3/maturin-action docs and examples should cover building all wheels pypi supports

thanks

someone is going to cry that you don't support NonStop or something

https://en.wikipedia.org/wiki/NonStop_(server_computers)

Code is, I believe, https://github.com/pypi/warehouse/blob/5587c729a812c218ae9818e3ff5a8a5b22ddaddb/warehouse/forklift/legacy.py#L91-L179

Yes, that officially lists the platforms that CPython supports and to what extent

You missed musllinux 😁

Hatch will have a built-in bug reporting mechanism in the next minor release that pre-populates some debug fields such as version and minimal config. One other bit of info is how it was installed. Am I missing any other popular ways to install Python tools? https://github.com/pypa/hatch/blob/2da7ad2a9a57bc731c2f7c8d3a3ade5f074bc36c/src/hatch/cli/self/report.py#L11-L63

Distro-specific ones, like rpm, apt etc (and probably needs a special case for Nix, since it's kinda like homebrew, not bound to a distro)

true! I just don't know how to do that yet so for now I check if the installation is "externally managed" per the PEP and report the install comes from system

Hello - I have a question about a package name release request for an invalid package (no code or uploads, 8 years without anything added). Should I ask here, or in the pypi channel? I've made a ticket, but judging by the other tickets it's been a long time since any were actioned

The report is here https://github.com/pypi/support/issues/3527

You can ask in the #pypi channel, but if it's about ETAs or how to make the process go faster, you probably won't like the answer 😉

Hey does anyone know where I can download pypa3?

Can you help me please?

help with what?

Do you know where I can download pypa3?

what is that?

Idk I was just told to download it to start on this project

This is pypa isn't it?

perhaps you have the wrong server, this is for packaging discussions about a programming language

I was on pypa.io, and can't find the download for it

This is the pypa discord is it not

Yeah I figured as much, I think we are going to have to go for a different name. We can't wait 6+ months for the name to be released.
The project name we want has never had any code or installable package in nearly a decade, so it's just name-squatting. TBH I'm surprised PyPi allows this
Maybe in the future projects should have to have a minimum amount of code. Especially as it seems the only actioned tickets are those resolved by users...

@mortal shore ^

Eh, well we don't really allow it

but there's only ~4 people with the power to remove a package

and we're all pretty busy

and processing the name requests is a lot of time and effort

and it's hard to add new people, because granting someone the power to reassign names like that requires a very high level amount of trust

and most of the people who the 4 of us know well enough to trust with that power already, are also pretty busy themselves

Fair enough - I do think maybe there should be an automatic flag for projects uploaded with no code or package though

Especially if nothing is added after 8+ years

It's currently not possible to claim a name without uploading something, if there's a name on PyPI without any uploaded files it either means:

• They uploaded a file and then deleted them
• They did it many years ago before it was required to upload a package.

We could automatically release names with no files associated with them, but I suspect once the initial "burst" got released, very few extra ones would because people claiming names would just upload a dummy file instead.

There area also some squats that we generally consider valid-- for instance Microsoft could decide to squat the name "microsoft" and that would be fine.

https://packaging.python.org/en/latest/specifications/platform-compatibility-tags doesn't seem to mention build tags at all, with one exception (it's in the string showing the full wheel name). Should it be at least described a little bit? (Or is it somewhere else? The only PEP with a description that I easily found was the deferred Wheel 1.9 PEP (491))

Build tags are described in the wheel specification: https://packaging.python.org/en/latest/specifications/binary-distribution-format/#file-name-convention

This package was uploaded Feb 2016, so perhaps that was before you required something with the project? I can't see any history for the project, and the description just says test sample project

Hi, I'm not sure where this belongs best, so I'm writing here in general:
Since I read this blogpost I try to implement best practices regarding dependency management. My goals are:

• Use only pyproject.toml as single ground truth defining the dependencies.
• Support multiple python versions and in the future also multiple platforms.
• Generate pinned requirements files or Pipfile.lock for CI testing (with multiple python versions) and development.
• If possible use hashes.
  I'm currently using multiple pip-compile commands, to generate requirements/dev.txt and requirements/test.txt but they only generate requirements for the current virtualenv. If I understand it correctly, going further with pip-tools I would have to make an automation, which enables various environments and runs pip-compile for each and saves them to separate requirement files, e.g. requirements/py38/dev.txt. In the future, I would probably also add another layer and create requirements/linux_x64/py38/dev.txt. I have never seen this approach and it looks very verbose. But it is the suggested way of pip-tools as per their README.md: https://github.com/jazzband/pip-tools?tab=readme-ov-file#cross-environment-usage-of-requirementsinrequirementstxt-and-pip-compile)

I found multiple open issues:

• https://github.com/pypa/pipenv/issues/5130
• https://github.com/jazzband/pip-tools/issues/1220

So, if I understand correctly, this is an open problem? But I guess there are solutions. I checked some popular large packages, but did not find one, which really checks all marks.

What are your approaches? One compromise could be to only support one development environment (e.g. linux, x64, python3.10) and let the CI tests install via pip install ., i.e. from pyproject.toml. But I'm not 100% ready to accept that. What if a Mac user, or god forbid a Windows user joins my team?

You'se right, it's an open problem. I personally think the lack of lock file standard causes enough re-invention that most tooling doesn't reach the point of supporting your use case

I agree with Brett, and I'm sorry about the current situation

PDM and Poetry both generate multi-platform lock files by default. Doing so I suppose is tricky if an sdist-only scenario is encountered and the sdist's build backend returns different dependencies based on the platform (not using markers). But hopefully that's an edge case.

Poetry goes with assumption, that all wheels use the same set of dependencies based on markers

It seems like a good assumption. It makes the problem tractable

And I guess as Poetry and PDM continue to gain popularity, there is increasing pressure on package authors to make their packages work with those tools.

@lusty quarry would you mind sharing your opinion on https://github.com/jaraco/pip-run/pull/96#discussion_r1459516120 as the author of PEP 723? thanks!

commented, thanks!

I amended my comment lol

thanks!

i agree that the reference implementation from the PEP is easier to translate into other languages

filter+lambda from Python can intuitively be written in JS/TS/Dart

but when it comes to Python-only, i would argue that it's better to use generator expression instead of filter+lambda most often

primarily due to readability and "Pythonicity"

filter wins when there are C functions, so filter(str.islower, s) > (ch for ch in s if ch.islower())

Thanks Brett, ofek, jvolkman and Secrus for the input! I'll take a look into Poetry or PDM. I refrained until now, since I want to keep dependencies at a minimum and work with standard tools.

it's not something that we directly support but you can use Conda

Yeah, no thanks. In my 6+ years of programming Python, I never had a good experience with it. I always ran into unsolvable environments. Waiting hours for that slow program to solve them. Sometimes it solved them after more than two hours. Really started understanding the halting problem, by watching that spinner animation.

I don't use it anymore but I can confirm that they have fixed the slow resolution. Over the past 1-1.5 years they rewrote the resolver in Rust using state-of-the-art algorithms.

Oh interesting. Good news. Maybe the next time someone starts a pytorch project in my team, I'll suggest him to use conda and see how it goes. But I also think pytorch and cuda with pip got a lot better. But I haven't tested cross-plattform useability yet.

PEP 723 seems uhh

interesting to say the least

what do you mean by "interesting"?

i mean i can definitely see why it exists, but people definitely have a lot of opinions on it :P

imo, i dont really understand the justification of not using a requirements.txt format, as the format would use something similar for the dependencies section

you can define everything in a single file. this lets you have many single-file scripts in the same directory (like a bin or something)

i get that part

why not like

# /// script
# my_package==3.14
# ///```

I'm no expert on this. But the PEP says: "And furthermore, the requirements file format is pip-specific, so tools relying on it are depending on a pip implementation detail."

i honestly dont really see how that is such a big of an issue

ah sorry, you asked about the format. there was a lot of discussion about the format, with concerns pyproject.toml/TOML is hard to learn. but Microsoft did some user testing and the result was that it wasn't such a big deal after all

so I think the idea is that if a single script is later promoted into a project, you already some TOML format to create the pyproject.toml

requirements.txt and pyproject.toml arent mutually exclusive

pyproject.toml's way of defining requirements are just to slap em in a list with essentially the same format

Microsoft did some user testing and the result was that it wasn't such a big deal after all

i never said TOML wasnt easy to beginners

sure, but that was a concern

what build tool does everyone use for normal python projects (setuptools, pdm, hatch, poetry, ...)?

some usage graphs here ^

i just wanted to get a sense of what the people here use

I usually use Hatchling for pure Python projects, or setuptools for projects with C extensions

i personally use setuptools

for like everything :P

@obsidian lily I think you might have missed the part in the spec where you can define the Python version requirement which would preclude your idea of a straight requirements.txt dump

I would recommend Hatchling https://hatch.pypa.io/latest/why/#build-backend

I mostly use setuptools, but that's more or less because I've always used setuptools and nothing it's done has made me care enough to figure out another tool

Me too
I also use setuptools' support for requirements.txt files to help Snyk understand my dependencies

First packaging tool I came across was Poetry and I loved the all-in-one feeling, so I just went with it all the way to maintaining it lol

Hatchling. It feels like it has no ceiling. It allows to do as many things as you could imagine, and if you can imagine more, it allows to easily extend it with ad-hoc and shareable plugins.

And Maturin, because Rust is a pleasure to write.

I'm hoping to allow for maturin as a Hatchling build hook some time this year when I have a few days to dig into the code https://github.com/PyO3/maturin/issues/1419 (somebody just asked me earlier today again in an issue)

@west drift has there been any update in the past year regarding the config/separation concerns as your comment mentioned? just wondering if the work has gotten any easier 🙂

Bazel 😅

hi dog(go)

sorry, no update on that

wow a lot of people are joining

The format also needed to be language- and tool-agnostic and requirement files are neither (as someone who had to write the syntax highlighting grammar for VS Code)

I jump between hatchling and pdm-backend

It's a good day for PyPI stats https://mastodon.social/@venthur/111823538346874329

nooo setuptools

I opened a topic for discussion https://discuss.python.org/t/allow-for-overriding-the-default-environment/44581

Are you cross-compiling wheels with zig?

yes because the beta for GitHub ARM runners is not yet ready (and apparently what we'll be getting is a blank image with nothing preinstalled)

I've been using zig for a couple of years now with Bazel and it makes cross compiling (relatively) easy and fun. Even allows me to build macos wheels on a linux build host.

@lusty quarry care to share your cross-compilation setup?

it's not yet complete but I will link it here when it is, it's a public repo

yeah it's great, I can't believe so many people use it and yet it's not talked about much

Didn't they just launch yesterday?

macOS did not Linux

Are there any plans for a packaging summit at pycon this year?

Yes, @noble matrix is helping arrange it

Great! I'm very interested in joining, I have two or three PEPs I hope to work on

did the accepted PyCon talks get announced yet?

not yet, I heard in the core.py podcast they're pretty much decided on, but not yet officially

I put together a small example that uses Bazel + zig (+ other tools) to build the zstandard package cross-platform: https://github.com/jvolkman/bazel-pycross-zstandard-example

Is there a list of known projects implementing a given packaging standard? E.g. Pip and poetry for installers, setuptools, hatchling, flit, etc for build backend...

It would be useful to know what exists out there

Especially for new PEPs so authors can make sure they get implemented in the right ecosystem e.g. I want to propose a change to metadata, but what projects are important to that? I know a few (backends, installers, etc), but not all of them.

More specifically @high stone , @tidal kiln, @hidden flame and myself 🙂 Now that we got the date coordinated with the other summits, Saturday afternoon of the second main conference day we're getting the various bits ready and plan to announce in the next few days

Excellent!

Thank you all for organizing 🙂

February 5-6, 2024 — Notifications are sent to speakers
February 16, 2024 - Travel Grant applications close and final day for speakers to confirm attendance
February 28, 2024 — The schedule is posted here on the PyCon US website

From https://us.pycon.org/2024/speaking/guidelines/

I hope one day I can attend

What's keeping you? 🙂

money and distance 😄

you still have two weeks to apply for a travel grant to help with the first bit! https://us.pycon.org/2024/attend/travel-grants/

It's possible I'll finally attend this year 🙂

Setup.py vs PyProject.toml, up to 2024-01-01, so close! only a gap of 534, maybe it's flipped by now?
https://py-code.org/stats

well, I guess until we get a good, stable standard for extension modules packaging, setup.py will still be there

It's weird to have this framed in terms of setup.py vs pyproject.toml, when it's perfectly valid to have both.

well, I guess it's "the old way" vs "the new way"

some projects also keep setup.py for GH discoverability (which now works with pyproject.toml too)

Yeah, doing vs. doesn’t work also since many projects use pyproject.toml only for non-packaging configs (remember when Black was the only reason people use the file?)

The argument on extension modules is also somewhat awkward considering literally everything in setup.py is non-standard…

yeah, but it is a kind of standard for extension modules. might be non-standard, but there is nothing as popular right now (outside of maturin maybe)

hi! quick question: is it guaranteed that setup.py will always be executed with the cwd of its containing directory?

that is, if I'm writing code to single-source package version, can I just use relative paths or do I need to manually do a Path(__file__).parent?

(this is a pre-existing project with a setup.py, so I can't use [tool.setuptools.dynamic] or setuptools_scm or anything else)

I don't think this can really be guaranteed, since someone can always run it from whatever directory they want. That said, I think setuptools generally assumes that the current directory is the project root.

Also, PEP 517 specifies that build hooks are invoked with the working directory set to the project root, so assuming someone uses standard mechanisms to install your project, that should always be the case.

aha, great, that'll work

thanks!

whelp, looks like I'll finally have enough motivation to work out the logistics of attending PyCon 😄

Wish I was attending so I can ask the inevitable, "why isn't there just one packaging tool?" question 😁 (FYI I'm thinking of writing a blog post on the subject so we all have a link to point people at)

Just venting: resolving w/ extras is a hard (context: https://github.com/brettcannon/mousebender/blob/resolve/mousebender/resolve.py ; it now works after a partial rewrite of my code)

how does it handle cross-platform resolution?

(I am clueless about previous lockfile attempt, I only know it didn't support sdists, was based of files not releases and that it failed) what's wrong with Poetry's resolver? What issues doesn't it address, compared to what you want to achieve with a "standard lockfile"?

what do you mean by being based on files rather than releases?

in theory we could standardize on one of the existing file formats

ok, I missremembered something, nvm

but the question stands

(not that I am trying to force something, I am genuinely interested if there is something wrong with Poetry's lockfile)

I think poetry (if I understand correctly) dumps basically everything in the file. this in my opinion is wasteful and causes extra complexity during installation. my view is that as much work as possible needs to be done during resolution to keep installation logic to the absolute minimum

[[package]]
name = "build"
version = "1.0.3"
description = "A simple, correct Python build frontend"
optional = false
python-versions = ">= 3.7"
files = [
    {file = "build-1.0.3-py3-none-any.whl", hash = "sha256:589bf99a67df7c9cf07ec0ac0e5e2ea5d4b37ac63301c4986d1acb126aa83f8f"},
    {file = "build-1.0.3.tar.gz", hash = "sha256:538aab1b64f9828977f84bc63ae570b060a8ed1be419e7870b8b4fc5e6ea553b"},
]

[package.dependencies]
colorama = {version = "*", markers = "os_name == \"nt\""}
importlib-metadata = {version = ">=4.6", markers = "python_version < \"3.10\""}
packaging = ">=19.0"
pyproject_hooks = "*"
tomli = {version = ">=1.1.0", markers = "python_version < \"3.11\""}

[package.extras]
docs = ["furo (>=2023.08.17)", "sphinx (>=7.0,<8.0)", "sphinx-argparse-cli (>=1.5)", "sphinx-autodoc-typehints (>=1.10)", "sphinx-issues (>=3.0.0)"]
test = ["filelock (>=3)", "pytest (>=6.2.4)", "pytest-cov (>=2.12)", "pytest-mock (>=2)", "pytest-rerunfailures (>=9.1)", "pytest-xdist (>=1.34)", "setuptools (>=42.0.0)", "setuptools (>=56.0.0)", "setuptools (>=56.0.0)", "setuptools (>=67.8.0)", "wheel (>=0.36.0)"]
typing = ["importlib-metadata (>=5.1)", "mypy (>=1.5.0,<1.6.0)", "tomli", "typing-extensions (>=3.7.4.3)"]
virtualenv = ["virtualenv (>=20.0.35)"]

is that wasteful?

what would you take away?

I view (which I think? Brett shares as do the folks at prefix.dev) that the future lock file will actually have targets and basically have a resolution result per target

the only thing I see is description field

so, multiple lockfiles?

the folks implementing rip are doing it with top level targets which is the conclusion that I came to last year (which like I said if I remember correctly Brett also concluded)

basically yeah you could say that

It becomes more noticably a problem when you see a set of hashes where you actually support a version range and multiple platforms with native dependencies

basically everything and you would be pointing to files directly

then what's really the point? what's the difference between that and just having multiple requirements.txt files? cause that what I see in mind mind each time I hear "multiple lockfiles"

no difference other than being standardized

that would require more legwork during locking (which already can be quite long with some pathological cases)

no?

yeah I don't think it would cause that much extra computation during resolution

and standardizing this makes resolving with locks sourced by multiple dependencies to be simpler, as you should just be able to merge the constraints

and if we hit pathological cases then I'll simply write the logic in Rust

that's a shame, I thought "one file to rule them all" is the end goal

Everything used to resolve compatibility is an input to the resolver (i.e. nothing is implicit)

the other thing that no one talks about that I will definitely have to put in the PEP is the concept of patches

so specific dependencies in the resolution can be modified to point to a fork for example

I feel like you're retreading the ground that conda has already solved, may want to look there.

(Not saying to just use conda, but look there for what problems they ran into to skip past needing to relive those issues)

Depends on your definition of "one file"; you could have all resolutions recorded in a single file

yes this is what I was thinking, still TOML

I did when we wrote https://peps.python.org/pep-0665/

Oh, I actually meant on handling patches/forks

well, it makes lock verification longer. right now with each package listing it's dependencies, you can quickly look up if you have it in lockfile already. with only file pointers, you would have to get the file, get the metadata, resolve dependencies to their files and then you can be sure that it's fine. if wheel metadata had files/hashes of dependencies included, then your solution would be fine

but glad to see that was taken into account there too

it's possible that for optimization purposes one could save some metadata, I haven't thought too deeply but I know that the installation must not do anything but install literal file URLs (or use version control)

if you're concerned about the cost of file open + read per dependency, I have a feeling you're looking at the wrong cause of slowness

I mean, the standard should force it to be all in one file. I have PTSD when I see requirements/ directory or multiple requirements-<something>.txt in projects

Also note my work is to also fill in API gaps, so even if it doesn't lead to a lock file standard, at least the pieces to build an installer will be there

and there's no reason the resolver can't cache it's knowledge internally in a single db

You're getting ahead of me. 😅 I just verified I could resolve extras last night. I still need to make an installer to verify things and then start playing w/ a lock file format

maybe 😄

And if you want to propose Poetry's format for standardization please do! I want something and I'm not going to be that picky about whose approach ultimately gets chosen

I'd be pretty happy with a single dependency_hashes.toml with sections per platform

I am just a bit tired with the ecosystem going rounds and rounds reinventing the wheel, building the same tools again and again and not getting together, using what's already there and potentially improving it

but I'd rather not shove a load of hashes into pyproject.toml

that's a no-no for sure

I guess that would be "write a PEP" nudge?

I'd be okay seeing a PEP but since you are so close to Poetry and so experienced, please consider what you've learned and think about if you might come up with a different format from first principles

I am not saying Poetry's format is perfect

I was just curious on opinions about what is wrong with it

you would probably be the best person to explain that actually 🙂

I might be a bit too biased for that 😛

👀

and I am not that experienced yet, still exploring the packaging wildlife and trying to make sense of it 😄

also, now might be a good time to write the PEP because I have no free time and I have a history of getting nerdsniped (my two accepted PEPs have been in response to ones that were open that I was not fond of) :p

so no shot I could write a competing one before May

so of getting nerdsniped or of nerdsniping?

well, I doubt I will feel competent enough to write a PEP

but the idea of it is interesting

gotta get some poetry folks to help

That's what the PEP sponsor is for: to help you get the PEP in a good shape

I'm also going to be unavailable from sometime in March until probably June

Generally I hear issues w/ performance and occasional resolution failures

Well, that's a solver issue, not necessary a format issue

There's a happy medium between one file per target and dumping a bunch of work on the installer, I think. For instance, my bazel rules will import a lock file from PDM or Poetry, mix it with pre-defined Python platforms (os/arch/version/etc.), and generate something like this: https://gist.github.com/jvolkman/6f7c0a01e3d9c6af081c2839b9bf65c9#file-lock-bzl-L221-L301

I don't understand what it's doing

Correct, hence why some of us are saying you should write a PEP 😁

At least as long as the format makes a fast install (e.g. linear reading of packages to install)

Don't tempt my ADHD! I already have too many projects started as it is 😛

I think we all do 😅

me too 😭

i even made time-based milestones for the next 60 years to try to manage them all somehow

hopefully i'll live that long

yeah, there's a lot to unpack if you don't have bazel experience. But basically:

• There are a bunch of target configurations referenced here: https://gist.github.com/jvolkman/6f7c0a01e3d9c6af081c2839b9bf65c9#file-lock-bzl-L117-L139
• The target configuration json files (also generated) look like https://gist.github.com/jvolkman/b963646f2ed44b3f211ad8fd940bc6e4
• Package dependency lists select over these (a bazel match/case statement, basically)

So ipython depends on 7 packages on all of the defined platforms and then one or two additional packages depending on the specific platform.

what is due on december 2083 😭

What do you consider a platform, e.g. are two different glibc versions a different platform, and do cpython and pypy need different lockfiles?

A "platform" is everything used to decide what to install a wheel: Python version, environment markers and wheel tags. So yes, PyPy and CPython can lead to different outcomes and thus be different. Same w/ glibc depending on what you resolved for.

So I wouldn't say "need" as much as say "could have"

Hm that's confusing when related to the "platform_tag" component of a wheel tag (https://peps.python.org/pep-0425/#overview)

wow

its been a lot more active lately

Welcome to packaging where concepts lack proper terms! 😉 We have never had to define "the stuff you need to know to resolve what to install". You could call it an "environment", but that's taken by virtual | conda environments. "Environment details" maybe, but then people may still think of the other "environment". 🤷

Haha yeah it's tough for sure. All of the terms are so overloaded.

https://github.com/astral-sh/uv @blazing lantern might be relevant to know about for your mousebender efforts

We're very interested in the future of multiplatform lock files

yeah that's the hard part lol

@honest geyser how does it know the platform tags to look for without a Python flag?

It's re-implemented in Rust

https://github.com/astral-sh/uv/blob/e9e3e573a28a4d4f4f30021d981f33e69ab5d8ea/crates/platform-tags/src/lib.rs#L321

Is that what you mean?

(I'm not the expert on this part)

sorry I should be more explicit, without knowing the target Python what are the defaults? for example if I'm targeting Python 3.11 it seems there is no way to instruct it as such

You can compile with a --python-version, otherwise we will infer it from your current / installed Python

You can compile with a `--python-

Would UV be able to make venvs and replace pipx and build too? That would be amazing. 😉

don't know if you heard but pipx feature is coming to Hatch as a top-level command group but with a different name

From the blog post: "uv ships as a single static binary capable of replacing pip, pip-tools, and virtualenv. "

they plan on making uv pipx too

https://astral.sh/blog/uv#a-cargo-for-python-uv-and-rye

pipx is waiting on the cli design, the features are all there

https://github.com/astral-sh/uv/issues/1173

Ah, great. Then all the parts are there to provide a build replacement too. All you need are an installer and a venv creation tool. I might even be able to help with that.

it lacks support for some of its [pip] legacy features, like .egg distributions.
I thought pip dropped support for those a while back?

IIRC there is a deprecation warning when pip sees an installed .egg.

Actually, maybe the other direction would be better. If uv had a Python API (only in the pip package version, of course), then build[uv] could be added which would optionally allow you to get the speed boost of using it over venv/virtualenv. (We already support the same optional feature with virtualenv vs. venv).

And I assume most other tools like nox, etc. could optionally use it as well if installed.

uv seems faster dependency management imo

i'm sticking with my pip/pyenv

uv represents an intermediary goal in our pursuit of a "Cargo for Python": a comprehensive project and package manager that is extremely fast, reliable, and easy to use.

i feel like this already exists with pdm/poetry

they already have a lot of good dependency/project management utils

I'm having some trouble with pip-audit showing dash-core-components and dash-html-components as vulnerable - is there a pip-audit channel?

the vuln id is GHSA-547x-748v-vp6p

the vuln is here https://github.com/pypa/advisory-database/blob/main/vulns/dash/PYSEC-2024-35.yaml

I was about to say that’s where pip-audit gets the vulnarabilities

but it doesn't say dash-html-components is vulnerable

And those are ultimately from https://github.com/advisories

This lists dash-html-components as vulnarable https://github.com/advisories/GHSA-547x-748v-vp6p

but it's not vulnerable because it doesn't have any code in

https://pypi-browser.org/package/dash-html-components/dash_html_components-2.0.0-py3-none-any.whl/dash_html_components/__init__.py

it's just an import for the main dash project

Need to tell the database maintainer (whoever that is) to fix that I guess. @strange knot should know more about what to do (might need to reach him elsewhere; I don’t think he’s particularly active here)

I was looking to PR the advisory-database but it doesn't seem to have a purl for dash-html-components eg purl: pkg:pypi/dash

you could also ask at https://github.com/plotly/dash/issues

I think it's from here https://osv.dev/vulnerability/GHSA-547x-748v-vp6p

pip-audit can pull from there https://github.com/pypa/pip-audit/blob/main/pip_audit/_service/osv.py

but it defaults to pypi so it's not that

so is the problem that:

• a vulnerability was fixed in the dash package on PyPI
• dash contains a sub-package called dash-html-components
• dash-html-components used to be a separate package on PyPI, but is now just an "empty" wrapper that issues a deprecation warning and imports the main package
• dash-html-components on PyPI shouldn't therefore be marked as vulnerable?

yes

interestingly the same applies to dash-core-components but it's not marked as vulnerable

dash-html-components and dash-core-components v1.x is vulnerable but 2.x is not

so https://pypi.org/pypi/dash-core-components/1.17.1/json is missing a vulnerabilities value

@mild dew can probably help advise, he's also a pip-audit maintainer

I raised an issue with https://github.com/plotly/dash/issues/2766 maybe they can get the GHSA updated?

it looks like snyk made the mistake originally:

https://security.snyk.io/vuln/SNYK-PYTHON-DASHCORECOMPONENTS-6226334 Exploit Third Party Advisory
https://security.snyk.io/vuln/SNYK-PYTHON-DASHHTMLCOMPONENTS-6226336 Exploit Third Party Advisory

We got a spammer here

re the dash-core-components issue, I think submitting changes to GitHub's OSV database (via https://github.com/advisories/GHSA-547x-748v-vp6p/improve) would trickle down to PyPI if not already? I believe PyPI sources from OSV, OSV from GHSA.

Do you know why dash-core-components 1.x isn't marked as vulnerable?

There's a false negative and false positive

aha nice thanks https://github.com/github/advisory-database/pull/3600

@zealous swan where do I open the issue about the false negative for dash-core-components? is that a warehouse issue or https://github.com/pypa/advisory-database/ ?

I think opening at the advisory-database makes sense? It looks like the CVE got processed but then didn't get split into multiple different projects? https://github.com/pypa/advisory-database/blob/main/vulns/dash/PYSEC-2024-35.yaml

raised https://github.com/pypa/advisory-database/issues/180

This is mostly for @inland prawn , but what usernames should I make sure get cc'ed at https://discuss.python.org/ for my next lock file discussion? (I already have Ofek for Hatch, Frost for PDM, konstin and Charlie for uv/Rye, and Paul somewhat implicitly for pip.)

Let me forward your question to the team, I will DM you the handles

"Announcement: The PyCon US Packaging Summit 2024!"
https://discuss.python.org/t/announcement-the-pycon-us-packaging-summit-2024/46483

since you have DMs blocked: from Poetry team, you can cc Randy (https://discuss.python.org/u/radoering/summary) and me (https://discuss.python.org/u/secrus/summary)

My latest lock file proposal https://discuss.python.org/t/lock-files-again-but-this-time-w-sdists/46593/

I'm looking at the graph example file, is the intent that there would be a separate file per target architecture or is it just that this particular example only happened to resolve Linux tags?

nvm, I understand, there are multiple unnamed lock files and one would iterate and check compatibility with the child tags array. brilliant

Exciting to see it up!

So had a thought regarding reproducibility of source dist -> wheel while reviewing the lock proposal. I've heard many folks thinking about sdists as a tarball of VCS. Many reproducible builds guides note that you should use SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) for git-based builds, but that information is lost when creating a source distribution. Should there be a capture of this value in the sdist (metadata field?) that gets automatically pulled from VCS if available? Then build backends can start utilizing this value since it'll be available in more builds (rather than relying on users to set this value themselves).

shouldn't be neccessary. The original timestamps for file modification are preserved in zip (And therefore also in wheel)

This isn't for archive metadata, it would be for passing downwards to other tools like gcc (see: https://reproducible-builds.org/docs/source-date-epoch/)

that would be useful but just FYI that's not the main issue/trouble with source distributions. the hard part is entirely about the dynamism of metadata like dependencies

I don't see that as the job of the source distribution to handle, that's the job of redistributors to make the correct choices in using the source distribution

It's entirely reproducible using the creation date exposed by pypi (And other indexes) or from git if they pull from there, the redistributors just need to pick whatever date is appropriate

@lusty quarry I agree that there are more than one issue with sdists 😛

Maybe I'm not thinking much of the redistributor case here, more of the case for folks installing from sdists on PyPI having a reproducible environment.

same difference. Whoever is pulling the sdist can use the date of the upload for a consistent date

To be clear this is a super-low priority issue, it's just something I thought of while reviewing since reproducibility was mentioned.

I think we can both agree that things that don't happen automatically are usually as good as not happening? Most folks aren't setting SOURCE_DATE_EPOCH per call to pip install.

most people don't benefit from doing so. if your install has meaningfully different behavior on a different date, it's probably broken outside of the case of people that care about bit for bit reproducible builds.

I'd say that those who are interested in it, will set it

if it became both feasible and a goal of pip to ensure reproducible builds* from sdists, it might be worth making it happen automatically. I don't think this is a generally reasonable goal for the primary audience of pip or even most security conscious developers. A chain of trust from trusted source code and a trusted build system is extremely sufficient. In the cases where it isn't, I think people still over-value reproducible builds* and we should be more focused on finding better ways to ensure code equivalence so that those interested in the security aspects of reproducible builds don't end up tying hardware to the reproducibility.

*bit for bit, not just identical code and mathematically equivalent machine code

speaking of this, I literally can't get stuff to compile reproducibility on CentOS 6

I'm setting the environment variable, etc. and for some reason it just likes to produce new stuff every time

which sucks because it's forcing us to increment the wheel build numbers every time we have to upload

does anyone have an example of a large project using the build number part of the wheel spec?

we've sometimes done it for Pillow when finding a badly compiled wheel after release, then uploading a fixed one with a build number to the same release: https://discuss.python.org/t/restricting-open-ended-releases-on-pypi/43566/30

Very interesting! I'm also quite interested in this actually.

I believe one of the PyPy projects once used it when just one of the wheels was miscompiled

nice, thank you!

is there a way to query how many libraries create a "bindings" (site-packages/bindings/) package or similar?

a post-release would probably be more appropriate IMO

is this a thing? I mean, is bindings some commonly-agreed namespace package name I wasn't aware of?

i just encountered a library that creates one

i don't think it's convention or anything however

does it install bindings as a namespace package?

if not, then it's doing the wrong thing

what library is this?

i believe it's doing the wrong thing indeed

zaber-motion

it uses this script to create that folder https://gitlab.com/ZaberTech/zaber-motion-lib/-/blob/master/py/zaber_motion/tasks.py?ref_type=heads

i'm just curious about this since this generally feels like bad practice

I don't see anything referring to "bindings" there though?

hmm i might be wrong as to how they create that package then

hm, I looked at the wheel and indeed it did come with a bindings/zaber-motion-lib-linux-amd64.so

but the bright side is that it will show up as a namespace package indeed

so it's less bad than I feared

but no, I don't think there's any way to scan for similar packages very easily

gotcha

there's another library which drops it's DLL in Lib/

i feel there should be a rule against that

which library, and how does it do that? or do you mean site-packages/Lib?

nope

one second.

it lives in venv/Lib/

which library?

it's gmsh

was looking for it my bad

Directory of C:\Users\Divine\Desktop\OSS contributions\nuitka-2649-gmsh\venv\Lib

01/15/2024 02:37 PM <DIR> .
01/15/2024 02:37 PM <DIR> ..
01/15/2024 02:37 PM 86,433,792 gmsh-4.12.dll
01/15/2024 02:37 PM 356,182 gmsh.jl
01/15/2024 02:37 PM 41,059,108 gmsh.lib
01/31/2024 02:26 AM <DIR> site-packages

oh, but gmsh actually distributes that as package data

too bad they don't distribute a source package

so this is okay in PyPa/pypi eyes?

this is the proper way to distribute such things

that doesn't feel right, feels like it should at the very least be under site-packages/gmsh/

also, this is the first library i've seen that moves something higher than site packages.

Can anyone suggest a Python module for cloning git repos? I'd like to clone a repo (that doesn't represent a Python module) within setup.py and use it to generate ctypes definitions

GitPython can do it: https://gitpython.readthedocs.io/en/stable/quickstart.html#clone-from-url

talking to the network from within a setup.py is a bit of an anti pattern fwiw, particularly if you're sharing this with others

I don't want to complicate the process of cloning and using this library, though

Thank you, I appreciate it

I would just bundle the header files or whatever it is you're downloading, rather than downloading them

Why?

there's no guarentee that you're going to have access to whatever the URL is that you'r etrying to fetch from on your user's machines

e.g. many places run internal mirrors of PyPI and otherwise block internet access in CI

I don't expect that will be the case with this project, though

Why not just use a git submodule?

If you're set on network access in setup.py, maybe consider including a mechanism that allows the user to bypass it provide the necessary repo files themselves.

iirc pypi will look for references to making network requests in setup.py to prevent malware? Something to consider if you want to publish the package.

For the actual package, I won't need to make network requests. Just cloning a Git repo and generating a single source file (upon which the most interesting parts of the project are based).

I've decided to just use a git submodule for now, as I was overthinking it. I'm working on another project unrelated to Python that fetches its dependencies over Git, but in a way that's much more flexible (very easy to pick a specific fork/branch/commit/local installation)

So that's what got me thinking about doing so here

Just to clear this up, this is no longer true; plenty of packages perform network requests in the setup.py (much to my dismay.)

Warehouse used to have some built in YARA rules and whatnot, but they were torn out a few months ago IIRC.

I do, however, get notified every time someone uploads what we consider to be atypical setup.py structures. It's quite noisy. Think of my sanity before you import networking packages into your setup.py's. 😆

That’s actually hilarious lol. How often are you getting pings about that?

Fairly constantly. It's a give-take.

huh... maybe I should wait before I make the next post I was going to make about the current state of supply chains, I didn't realize those yara rules werent in effect and I had my own thoughts on them

setup.py is a very common vector to attempt to deliver some sort of malicious behavior.
So the extra focus on that particular venue is well placed.

To be clear we do not interface with PyPI in any automated way, so... your packages are safe if you're making network requests. I just get to read them. 🙂

I am working on a build backend that runs in WASI because arbitrary code execution is annoyingly useful but being able to set capabilities about what an installer script can do would be nice

That sounds neat! Yeah-- it's a really complicated subject; if we start locking down the behaviors of build systems, they become less useful, but more secure. It's a give and take. I don't have a very strong intuition for how we got here (or even, the build systems that exist out there) except that... I've seen just about everything under the sun at some point, and there's quite a bit of 'unique' out there on PyPI.

My current endeavors are largely focused on detecting APT activity, which is something that A.) Happens reasonably frequently and B.) Is... understandably quite difficult to detect.

Thanks! I'm hoping to target a minimal base and build out from there. E.g. start with no access outside the build directories, but eventually add allowlist network/file access

The one thing I am having difficulty figuring out if it is realistically doable is building C/C++ code

no :)

(/j)

<@&815744082823348274>, spam ^

<@&815744082823348274> spam

FWIW, the spam was dealt with in ~1 minute. 😬

admin efficiency 📈

next time we should use when actioning a ping to avoid duplicate admin work :P

i'm mostly joking but pradyunsg was 🏎️

wait were you just admin or am i hallucinathing

i've been an admin since a while

hu h

okay, I think I'm overthinking and thus being stupid. is there a way using packaging to extract the extra from the string foo; extra == 'bar'? I can't find a way

I can use internal stuff I suppose but it looks so hacky

I don't think you missed anything: https://github.com/pypa/packaging/issues/496

oh good find, thanks. yeah I'm trying to go from core metadata back to the project table

how do I flag a package as out of date?

A package you own? You'd make a new release

And the old ones get a little red banner

Like here https://pypi.org/project/pip/23.3.2/

are there any pypa projects using codecov? it looks like the new codecov github action needs to be explicitly passed a token

yes: https://github.com/search?q=org%3Apypa+codecov-action&type=code

you don't need a token if you stay on v3 of the action instead of using v4

v3.1.5 can be used to silence the warning about old Node.js versions

hm, bandersnatch is also not providing the token

doesn't look like any of the pypa projects using codecov has a working solution in place

alright, I just got the token from codecov.io and started using that, problem solved.

I don't own it

Which package is it?

https://pypi.org/project/wget/

Released: Oct 22, 2015

That's pretty outdated

Do you have a more up to date fork?

how would I make a fork?

You'd have to have on already and get it fairly popular

What's the outcome you're after? You can't take down other people's packages for being outdated

get it updated to use wget commands

Looks like the source code got deleted off bitbucket

it was a Mercurial repo, they all got shut down on Bitbucket https://web.archive.org/web/20150801133931/https://bitbucket.org/techtonik/python-wget/src

there's the sdist on PyPI, and the Bitbucket archive is at https://bitbucket-archive.softwareheritage.org/projects/te/techtonik/python-wget.html

alright, I just got the token from

You know how PyTest expands assert statements if they fail? I really want this, but my testing needs are spoken for. Can anyone suggest another library that just explains failing asserts?

...ah, you know what, PyTest may actually be okay for my needs after all

They do this by overwriting the pyc code generated by your Python code. Take a look in _pytest/assertion/.

Neat.

Does anyone else do that?

You mean for tests or overall?

For tests. This is for a test suite, but the thing being tested isn't actually written in Python. Only the test scripts are in Python; the thing being tested is a compiled binary with a particular C interface

So...I guess since the tests are being orchestrated and run elsewhere, I suppose I'm looking for assert expansion outside of a test framework

I think you need some sort of framework to make this possible. Pytest does into this by hooking into module loading at import time, to replicate it you’d also need a way to manage modules besides plain imports. (Or maybe it’d be possible with some importlib magic? Not sure.)

Hm...that would add unnecessary complexity for me right now

Thanks for the tip, though

Can ctypes be used to define variadic callback functions? I ask because I'd like to implement the following C interface in Python;

enum retro_log_level
{
   RETRO_LOG_DEBUG = 0,
   RETRO_LOG_INFO,
   RETRO_LOG_WARN,
   RETRO_LOG_ERROR,

   /** Defined to ensure that sizeof(enum retro_log_level) == sizeof(int). Do not use. */
   RETRO_LOG_DUMMY = INT_MAX
};

/**
 * Logs a message to the frontend.
 *
 * @param level The log level of the message.
 * @param fmt The format string to log.
 * Same format as \c printf.
 * Behavior is undefined if this is \c NULL.
 * @param ... Zero or more arguments used by the format string.
 * Behavior is undefined if these don't match the ones expected by \c fmt.
 * @see retro_log_level
 * @see retro_log_callback
 */
typedef void (RETRO_CALLCONV *retro_log_printf_t)(enum retro_log_level level, const char *fmt, ...);

struct retro_log_callback
{
   /**
    * Called when logging a message.
    *
    * @note Set by the frontend.
    */
   retro_log_printf_t log;
};

The Python function I want to write needs to be compatible with the definition of retro_log_printf_t.

you'd have better luck in the Python server

Not so far.

Well, definitely more than on packaging server

I know, I know...I figured it was worth a shot anyway, since this server is full of Python users

try asking one of the top AI chat bots, my favorite currently is Claude 3 Opus, anecdotally seems slightly better than the best ChatGPT that is available

My team at NVIDIA is hiring a Senior Software Engineer to contribute to open source Python packaging projects like warehouse and #pip ! Please reach out if you have any questions about the posting! https://nvidia.wd5.myworkdayjobs.com/en-US/NVIDIAExternalCareerSite/job/Senior-System-Software-Engineer---Open-Source-Python-Ecosystem_JR1981378

There's no option for "where did you hear about us" for discord

Ah do you employ remote engineers from outside the US?

I just posted: https://discuss.python.org/t/respecting-core-metadata-2-2-when-building-from-source-distributions/48886

<@&815744082823348274> Please ban

Done, and also oof.

Just saw all the channels with the "unread" mark and thought "oof, another spammer here" :/

thanks for removing it! 🙂

https://status.python.org/incidents/dc9zsqzrs0bv
looks like the incident actions are taking effect on new versions of packages, maybe the notice should reflect that

Yep, just ran into that in the middle of deploying a new release.

I can't imagine it's intentional, the message is likely correct just misconfigured restriction.

sorry for that! it was late and i just needed the inbound to stop :/

We understand, thanks for your work 🙂

@queen hornet I just noticed some of the css changes on the pydocs theme - just wanted to say it's really cool to see these changes!!

thanks! the font change makes a big difference 🙂

<@&815744082823348274> here we go again…

Dealt with that. Also bumped up the moderation settings on the server.

what setting is it now?

High: you must be a member of the server for 10 minutes before being able to send any messages.

• verified email + more than 5 minute old account for joining the server (which were required earlier as well).

docker scout started showing this old CVE (despite not showing it before recently) for pip that's arguably a non-issue and scored inappropriately to people https://scout.docker.com/vulnerabilities/id/CVE-2018-20225?s=gitlab&n=pip&t=pypi&vr=>%3D0

Internally at work, we were able to quickly deal with supressing the noise it caused, determining that its a non-issue, but it might be something someone from pypa should reach out to someone from docker about.

Fix versions: Not yet available
Something from 2018 still hasn't been fixed?

CVE is (rightfully) disputed and has been for a while. I'm not sure what triggered docker scout to start showing this to users recently. CVE is claiming that --extra-index-url in pip is dangerous (This is true) but by extension pip is vulnerable for even having it.

I'm wondering if anyone knows of what other servers have done for dealing with the spam bots.

We're at all but the highest level of verification (high requires a validated mobile number, which even I don't have on Discord).

It's just something mods have to deal with on public servers. There are "low bar" methods that stop some of the fully automated scrape public invites + spam bots like having a verification channel that users have to post a specific message to gain access based on reading something and following directions + a discord bot to assign a role

I just set my server to require a phone number from the start
Haven't had a problem with spammers yet
Having a role exempts you from the phone number requirement, so if someone doesn't have a phone I just give them a role and all is well

I help moderate a public server that constantly gets spammed, what we do is use a bot to help filter messages and moderate. Basically it will block sending a message if it is clearly spam (based on message content and keywords) it works pretty well.

Happy to help with setting that up. The bot we use is called Vortex, but there are many out there

with some servers you're stuck in the welcome room until a bot or human validates you

I feel like human verification might be extreme, but adding a "react to the icon to confirm you're a human" might work well, I've seen that used in other servers

yeah, but that's not a big issue to script over it

it stops a lot of the really low effort spam that just joins servers it scrapes links for, then sends messages to every channel it can access that way still

Which is a lot of the bots

Hey i'm currently doing research for a new non-pip-copy interface for uv, with focus on the interaction with PEP 621

My question is: Are you writing a tool that reads pyproject.toml's project.dependencies? Are there any non-resolver users, and if so, what information do you need?

I'm trying to figure out what information we need to provide so that the table is useful to others

@low drift <@&815744082823348274> the survey in the pinned message 404s?

it's over 1.5 years old, I guess the survey ended

There's no longer a pinned message. :)

It has been.... dealt with

Yes. For figuring out who is using a certain package (going from "six" -> dependents of six) via source code lookups/parsing the pyproject.toml files.

Isn't a 100% solution, but also, I expect stuff like this shouldn't really affect anything around packaging workflows.

Like for something like showing the github "Used by" tab, or something more specific?

Yea, basically post-facto analysis of the pyproject.toml files.

Not a part of the development workflow though; sits outside as a way to look at how people are using a thing (eg: measuring adoption etc) as well as tracking migrations etd.

gotcha, thanks for the info

Is there a strong reason to ever use pipx over venv?

Those are 2 different tools

they some overlapping capabilities though, right?

is there a strong reason to ever use venv over PYTHONPATH? These are all tools which make it easier to accomplish certain tasks. Creating isolated envs in the case of venv and installing/running Python CLIs in the case of pipx

To be pedantic, PYTHONPATH will not suppress system-wide site-packages, whereas venv will. 😛

pipx, as far as I know, is just a convenience wrapper over venv.

yeah, pipx is pip+venv with nice interface

I know, it was an analogy

@empty blaze to answer your question: If you want a tool available from the command line in multiple projects, you should use pipx rather than managing that tool’s venv manually.

Thank you. That's the clarification I was looking for. I appreciate you.

OK, I think I managed to configure automod so that it prevents these messages in the future.

And, now this server should be more spam-free. Thanks for bearing with us mods as we've tried to figure out what to do with these stupid spam bots and how to keep them out.

Thanks to you, moderators! This is a safe server thanks to y'all 🙂

👋 I found some energy to get the pip packaging upgrade moving. If anyone' still using pip, we'll be looking for testers of https://github.com/pypa/pip/pull/12300

pip install git+https://github.com/pypa/pip.git@refs/pull/12300/merge to install from PR

I got this trying to upload a wheel or sdist from Jazzband to PyPI, what am I missing?

Uploading distributions to upload.pypi.org/legacy �[31mERROR �[0m InvalidDistribution: Metadata is missing required fields: Name, Version. Make sure the distribution includes the files where those fields are specified, and is using a supported Metadata-Version: 1.0, 1.1, 1.2, 2.0, 2.1, 2.2.

it used the latest build and pkginfo to make the packages, and latest twine to upload to Jazzband.

but then it failed uploading from Jazzband to PyPI. maybe Jazzband has an old twine or something? I don't know what versions it has

(https://github.com/jazzband/prettytable/issues/298)

also using hatchling and hatch-vcs

perhaps it's the old pkginfo and twine at https://github.com/jazzband/website/blob/693860ef2ec8e86345df53f5814d9d4a9e172e8f/requirements.txt#L717

yes the upload tooling needs to be updated for metadata 2.3

thanks! I'll open a Jazzband issue tomorrow. they have Dependabot, but it's been disabled from not being used in a while https://github.com/jazzband/website/pull/1148

jazzband has a separate package index?

yes, it's just used as a staging area before they get uploaded to PyPI

They have their own special release CI

I don’t really understand why

How does that help?

Is there anything actually stopping you from just… not using it?

it's basically the usual one but points to the Jazzband index instead: https://github.com/jazzband/prettytable/blob/main/.github/workflows/release.yml

yes: most Jazzband maintainers do not have access to the projects on PyPI. anyone can merge, but only project leads can release from JB->PyPI

as a lead, you usually don't have PyPI access either

this was all set up before Trusted Publishing, so I think it could be safely replaced with that and cut out the middle step

Anyone with write access can create a release, right?
That doesn’t really help there.
But GitHub has allowed you to require approvals for CI jobs for… years. That sounds like a much simpler way to handle this.

Would also allow the leads (assuming they have admin on their own repos) to update the rules themselves

I don’t know the history here, and I’m just barging in here, but that sounds like a good spot for a feature request, at least to review the viability.

I think this all predates (common) automated uploads to PyPI. I can't remember how it was before it was automated GH->JB, but it does need a lead to approve JB->PyPI.

I think GH's environments (where you need to approve CI) is fairly new?

I thought it had been around for a while
I'll see if I can find it

leads don't have admin on repos, there's only one admin for all of Jazzband

oh

oof

That's a... giant bottleneck

yup

There's many comments on the "need more admins" issue
Did he never pick anyone else?

I don't think so

Dec 2020 for beta: https://github.com/github/roadmap/issues/99
June 2021 for GA: https://github.com/github/roadmap/issues/167

Jazzband is probably way older than that

Anyways, I do think that would be a cleaner solution, but apologies for barging in and rambling

np, thanks for looking that up! Jazzband is at least 2015 https://web.archive.org/web/20151217142507/https://jazzband.co/

I'm having problems in generating documentation for a Python package I'm writing. Which channel is on-topic for that?

nothing here. you will have better luck on Python server: https://discord.gg/python

I was trying to ban them but couldn't find the ban button, I suppose someone else got to it first, haha :)

I was like "this is a really inconvenient time for my ban button to disappear... ah they're already gone"

I think I must've beat ya to it

We've got so many banned accounts in the last few weeks. 🙈

is interpreter tag cp310-none-any the same as cp3_10-none-any?

(both are produced by packaging.tags on the same machine, just using different functions)

I've never seen the latter

I guess confusion appeared from here

The version is py_version_nodot. CPython gets away with no dot, but if one is needed the underscore _ is used instead. 

anyway, solved my problem 😄

I'd like advice:

I want to have Hatch ship UV in the next release. What I'm doing now is the same thing I do for Ruff which is manage a dedicated environment just for that. What I'm realizing however is that nearly the only reason I'm doing this is because I don't want to have redistributors open issues on the repo for packaging changes/hardships.

Is there another reason to not ship dependencies directly that are only used via certain flags/config options?

At a high level it feels very strange that I'm letting project-level decisions be influenced by what is good for redistributors.

I wouldn't bother making it easier for redistributors at the cost of your own design. people interested in hatch are going to install it with or without redistributors doing anything with it, and distros already got the stuff they need to keep system python/pip seperate over the last few years.

thanks that is reasonable and makes life easier for me. also I've been experiencing trepidation over refactoring CLI config parsing with Pydantic because that is Rust as well so indeed might as well bite the bullet and apologize when the time comes for any distribution packaging hurdles

this is great!

Are you putting uv in PATH?

no

As a former Debuntu foundations dev (aka redistributor) I would concur that you shouldn't gate your design choices on what downstream Linux distributors might or might not want. That said, I'd recommend that where possible if you can structure your code so that it isn't super difficult for them to unvendor, then they would appreciate making their lives a little easier. Don't sweat it too much, but be open to suggestions in the future as the Linux packagers make any requests or suggestions. Does that thread the needle enough? 😄

@elder tinsel @bright parcel for example, look at this issue that was opened earlier today https://github.com/pypa/hatch/issues/1391

this is just an issue with a test dependency not even the project itself so imagine when I make the change, this is what I worry about

I do my best to support distributions but it's really hard to say no for open issues. I even do stuff like have a test marker for tests that require network access because someone asked for that at some point

for clarity, I also agree with this to an extent. adding emphasis on my prior statement to the words "at the cost of your own design" is where I personally draw that line.

I don't see it as a major issue in the current state of the ecosystem if a redistributor decides that redistributing hatch is more effort than it is worth, as users still have access to hatch via the redistribution efforts for python and pip, and the system dependencies are properly protected from incompatabilities via the mechanisms added to prevent accidental modifications to system python and system python packages.

Fully agree that you shouldn't make design choices you disagree with just to satisify redistributors. In the issue that @lusty quarry linked to, and as you say, adding a marker to skip tests for optional missing dependencies makes sense. If you're going to make uv a hard dependency, then it's up to you if you still want that marker or not, but I'd also say that it isn't outside the bounds to leave that as a task for the redistributor.

One thing to keep in mind though is that a lot of these distribution packagers are themselves volunteers. I also agree with @elder tinsel that hatch has plenty of ways to be available on those platforms without having to be in the package index. And it sounds like uv is just a temporary omission from Fedora, so that'll get sorted out eventually too.

Weird empty cryptospam packages being uploaded to the Ruby index, trying to game tea.xyz https://blog.rubygems.org/2024/04/14/the-implications-of-crypto-rewards-on-rubygems_org.html

https://blog.phylum.io/digital-detritus-unintended-consequences-of-open-source-sustainability-platforms/
Phylum did an article about tea3 awhile ago as well, specifically with respect to NPM.

Anticipating this becoming an issue for our little ecosystem here shortly, but so far all quiet.

I might add a short bit about build performance to my PyCon talk. At work we are about to switch a monorepo from setuptools to Hatchling and there is a 25% reduction in the time to build the wheel!

Datadog, right? Don't they use Bazel in some capacity?

we do but not for the Python monorepo

also, I'm not sure that would help unless it ignores the build backend that is defined and incrementally builds the archive

I'm super interesting in this @lusty quarry . It sounds like your situation closely mirrors mine. I'm still planning our (into) monorepo migration and that's related to the pm about my bug/question/pebkac. I get a fair bit of pressure to bazel, which I'd like to avoid. Build performance w/hatch would be a compelling data point.

yes I always try to avoid that when I can

Bazel performance seems to be the biggest stated reason why people want to use it

I'm curious what makes it fast for Python wheel building in particular, is that true or just an assumption people have?

I haven't really had time to confirm it, but I believe it's aggressive caching. I have more direct experience with Gradle, which also benefitted from aggressive caching, but didn't really play well with common Python workflows, like being able to pop into a venv and narrow down to a small number of pytests. Gradle (or maybe the way it was used) had lots of problems, like hiding configurations and tool calls inside Groovy or Java files which made it really difficult for a Python dev to discover, modify, etc. From what I've seen of the Bazel configs, it seems... maybe a bit better, but still tends to hide things in places that are unnatural for a Python developer.

what I don't understand is specifically wheel building, how would that be any faster?

It's a good question, and I'm not really sure Bazel really is faster for wheel building, unless they're doing some more aggressive caching of dependencies?

Not sure if I should ask this here, but I've been working on some translations from PyPA to my native language (spanish), and I have a question about the type of language PyPI and the docs are using. Unlike english, in my language there're two (maybe more if you consider regionalisms) ways to say "you", one is formal ("usted") and the other is more familiar ("tú"). In order to keep consistency on the translation, should I keep the formal way or use a familiar way to say "you/you're"? What's the type of language used by the docs in general?

Maybe use a similar tone to Python’s documentation? We have formal and informal second-person pronouns as well and I believe most documentation uses the informal form, but I assume this varies more from language to language than from a document to another

Ok, thanks for the answer! I'll look at what's already used on my language translation then 🙂

welcome also to the Python docs community Discord, one of the Spanish translators for the Python docs is there if you want to ask how they do it there
https://docs-community.readthedocs.io/en/latest/community/contributing.html

should a wheel ever contain __pycache__? A user submitted a PR to one of my projects to always strip out __pycache__ directories when installing a wheel (because they're running into some problem), and I'm trying to figure out whether this is the correct approach.

Wheels shouldn’t contain these. Pip (and uv if you ask it to) create them when installing a wheel. Otherwise they’re generated on first execution of each package.

it should never, no

Hatchling can't even traverse such directories and there is no way to override that

Okay, thanks!

simplewheel/__init__.py
simplewheel-2.0-1.dist-info/DESCRIPTION.rst
simplewheel-2.0-1.dist-info/metadata.json
simplewheel-2.0-1.dist-info/top_level.txt
simplewheel-2.0-1.dist-info/WHEEL
simplewheel-2.0-1.dist-info/METADATA
simplewheel-2.0-1.dist-info/RECORD

Is this a valid wheel? As far as I understand, wheel build tags should not be included in the metadata directory name...

(I'm trying to optimise pip's metadata backend and my patch broke the test suite because of this)

PEP 427 says that the format should be {distribution}-{version}.dist-info, so I believe that the build tag should not be in the name of the dist info directory

coolio, that's what I thought

hopefully there aren't too many of these technically invalid wheels out in the wild

It might be good to update https://packaging.python.org/en/latest/specifications/binary-distribution-format/ to have more normative rather than descriptive standardization of the naming of items

Might be worth reporting on the setuptools tracker

not sure the process but I opened https://github.com/python/peps/pull/3772

can anyone suggest a good pdm based cookiecutter template ?

I am working on a copier template based on pdm. Though it is still in active development, feel free to let me know if you have any specific requirements. https://github.com/serious-scaffold/ss-python

You can also refer to https://github.com/pdm-project/awesome-pdm

still a bit early, but I released this https://ffy00.github.io/python-environments/

if anyone has thoughts, let me know

Awesome 👍. Almost everything I'm looking for. Would be nice to have mkdocs integration

FYI, see https://github.com/scientific-python/cookie which includes nearly a dozen backends, including PDM, and isn't actually scientific-specific

nice! what would you say is the primary use case for these?

mainly when dealing with quirks of different environments

it's useful to quickly look things up, and then also test against specific environments in test suites, etc

that was my main purpose for that at least

I have to admit it is an opinionated template, I did not prefer mkdocs as some insider features are not available to everyone. Sphinx with myst should work fine with general markdown documents. If you have strong requirement, I can add an option to that.

Feel free to create an issue or discussion for that.

w.r.t. to insider features, I believe you're talking about the material theme, not MkDocs itself

Yes, sorry for the misleading.

😅 I was scared for a moment

I have used both but for me markdown is much more familiar. I mean mkdocs is much simpler for me 😅

Hence I prefer mkdocs

sphinx + myst also support markdown too, you can refer to the included sample docs, all in markdown.

We've also only gone with Sphinx + myst in cookie; the myst team is great. Eventually we might provide an option for mkdocs though. I like how fast it is.

Any recommended themes other than material? The material team really did a good job, I even want to pay for the insider features when used for my personal projects. But as a template project, it may not be suitable as the default option for everyone.

catppuccin ?

https://catppuccin.com/

Is this a mkdocs theme?

oh I though you were asking for accent

I should be more precise, again. haha

just FYI when Hatch does a docs command the default will be MkDocs with the material theme

meh, sphinx with furo FTW

if you are a new person with no context MkDocs is simply easier than Sphinx

and a larger ecosystem of plugins

but yaml 🤮

I opened this PR to add a reference in order to use it on the associated PEP, let me know if that's not the right syntax https://github.com/pypa/packaging.python.org/pull/1544

FYI, I'd love a "templates" system where there could be two defaults, mkdocs and sphinx. Sphinx + myst + furo is very nice. Does mkdocs support man pages? That's something distro package managers request once they start picking up your package.

someone else asked for that and probably I will have two defaults with the former as the main one

and yes man pages are supported https://www.mkdocs.org/user-guide/installation/#installing-mkdocs

I think mkdocs makes sense as a default, I just think it also makes sense to have integrated support for sphinx too. 🙂

What's the status of PEP 639? It seems setuptools and hatchling have added the (supposed to be in) METADATA 2.4 fields and supporting the pyproject.toml syntax, but the PEP is in draft. I don't want to add support to pyproject-metadata until something is standardized. Which means scikit-build-core (and meson-python and pdm-backend) doesn't support the draft yet. But apparently distros (at least Fedora) are asking for these fields. The PEP has been draft for nearly 5 years.

it's being worked on by Karolina of Red Hat, most recently: https://github.com/python/peps/pull/3743

typical Wednesday, taking a break for lunch and saw an opportunity to help a project update Hatchling because there were bugs temporarily https://github.com/pex-tool/pex/pull/2403#discussion_r1594424306

Well, I think PyPA itself is bad for the ecosystem!
😅

trail of tears is quite the reference... oh boy

I'll probably eat lunch on my lunch break next time

at some point I hope to make PyPI reject files that have unknown fields in them, but I'd have to see how many things are emitting that field in particular before I just yolo broke them

Do you mean any unknown Metadata fields? Or unknown license fields specifically? I'd imagine allowing unknown fields would allow for easier experimentation/demonstrations in metadata changes.

(I could definitely see the benefits of banning arbitrary fields on the other hand)

currently, this returns None for statically compiled MUSL distributions: https://github.com/pypa/packaging/blob/32deafe8668a2130a3366b98154914d188f3718e/src/packaging/_musllinux.py#L37

is that intentional? ref: https://github.com/indygreg/python-build-standalone/issues/260

any unknown fields, which is partially about ensuring that we don't end up in situations where we have defacto standard that never got standardized, and partially because malformed / broken METADATA files often times get surfaced as files that have nonsense extra fields

like if you have a tool that doen'st properly escape and you sneak a newline in there, the second line can end up looking like a field with a weird field name

the new draft of PEP 639 is ready for discussion: https://discuss.python.org/t/pep-639-round-3-improving-license-clarity-with-better-package-metadata/53020

I'm pretty sure it's approximately correct but I wasn't actually around at the time, is this generally correct about what happened with packaging in the early days? I was not there but I've read the story a few times from various folks https://github.com/pex-tool/pex/pull/2408#issuecomment-2105932894

i.e. packaging was not good, there was no desire to improve within CPython, and therefore Anaconda was born. is that right?

The topic is convoluted, complicated, shrouded in the mist of history, subject to many different perspectives, and organic growth. I have my own interpretation which is probably too much to go into here (maybe at Pycon!). I was around for most of it.

I would definitely love to hear more about that next week!

would be nice to know more about that (especially since some of us won't make it to pycon 😦 )

Probably won't have time until I get to Pittsburgh

IIRC the Numpy folks kept asking Guido to fix problems they had with packaging stuff, and he didn't care about it and suggested that they go make their own thing

and they took that and ran with it

when I first got involved in packaging, probably the biggest problem was there was no mechanism to make decisions, this predated the idea of PEP-Delegates (I don't recall if we were the first people to use BDFL-Delegate, or just one of the first), so Guido decided on all PEPs, and generally didn't care about packaging much so there wasn't a drive to use the PEP system.

Plus a lot of the early attempts in CPython focused on more or less a complete lift of the ecosystem, kind of like creating a whole new ecosystem of packages without worrying about how to straddle the line between old and new systems

I don't know who has access, but could someone please create a token that would be used on the Hatch repo to publish images for each release? https://hub.docker.com/u/pypa

In case you missed it... We're looking for feedback on the current pip beta release! https://pradyunsg.me/blog/2024/05/13/pip-24-1-betas/

okay, I optimized Hatch's installation heavily the past day and I don't think it can get any faster now

now it fetches a prebuilt distribution and simply unpacks, super quick

you can try with a binary or installer e.g.:

curl -LO https://github.com/pypa/hatch/releases/latest/download/hatch-aarch64-apple-darwin.tar.gz
tar xzf hatch-1.10.0-aarch64-apple-darwin.tar.gz
./hatch --version

does anyone know of a reason why entry points should not be portable? https://discuss.python.org/t/portable-entry-points/53787

I think if you do it similarly to the example cited in the post, then you can no longer run it with python - you have to run it directly.

What's the relationship between distlib and packaging? Seems like they have very similar scopes.

From what I have seen, distlib is more legacy and has some features that packaging doesn't

Where should I report an issue with deleting docs on pythonhosted.org? I want to delete the docs for Flask-Mail, but while they did get removed from https://pythonhosted.org/Flask-Mail/, they are still up at https://pythonhosted.org/flask-mail/ (note the lower case name).

I reported it to Warehouse, although it's not completely clear if that's the right place: https://github.com/pypi/warehouse/issues/16002

Warehouse is probably the closest thing to the right place

What's this?
The PSF offers free web hosting?

Probably an old relic

pythonhosted.org is the domain name for where user supplied content gets stored, like artifacts and such, to keep it from being able to be used to attack the primary domains like pypi.org and python.org (see gifar attacks, etc)

at one point in time PyPI let you upload your docs for your projects

we stopped allowing that, but didn't delete the old docs incase they were the only copy etc

but we do allow projects who had previously uploaded docs, to delete them

why was it stopped?

in general we did a worse job of it than both github pages and RTD

and we decided rather than continue to invest in it, it was better to just recommend using something made for it

makes sense (although it would be nice to have docs alongside the pypi package, a lot of packages don't provide link to it

it also wasn't very widely used, and in a lot of the cases where it was used, it was just old versions of the docs because the project themselves had previously switched to using something else

there's no packaging-specific channel, so dropping a general question here: does anybody know if there are function(s) to "rehydrate" the results of parse_wheel_filename and parse_sdist_filename?

context: i have a tool that's going to need to take the full filenames of distributions, and needs to fully normalize them according to their respective specs. parse_wheel_filename and parse_sdist_filename return the normalized components of each, but i don't see (maybe missing it) any APIs to turn the returned components back into filenames

(i could do that conversion manually, but it's slightly more annoying than just joining on -. hence the question 🙂)

No, there isn't one.

there was a new packaging release (24.1), but nothing in the changelog. What's with that?

I have the make_wheel_filename() function in my PR: https://github.com/pypa/packaging/pull/805

there's one at https://github.com/pypa/packaging/releases/tag/24.1

oh, okay...this is what I was looking at: https://packaging.pypa.io/en/stable/changelog.html#id1

perhaps packaging should have a link to the correct changelog on the PyPI?

probably just a mistake in release

I avoid this in my own projects by autogenerating the GH release from the canonical release notes in the docs

Oh man, looks like I goofed up on the release process. 😅

This is what I get for cutting releases while not a 100%.

filelock==3.15.0 appears to be wreaking havoc

e.g., https://github.com/jvolkman/repairwheel/actions/runs/9487541758/job/26145230512. There's an issue now: https://github.com/tox-dev/filelock/issues/337

And downstream https://github.com/pypa/virtualenv/issues/2735

3.15.0 yanked; everything is green again 🫠

FYI I'm back from parental leave and trying to catch up on GitHub and discuss.python.org

Your efforts have already been noticed: #off-topic message

@drowsy moss in https://github.com/astral-sh/uv/issues/1526#issue-2139213581, why did you react with a thumbs-down?

cc @glass sand since it's probably relevant to https://github.com/jaraco/pip-run/issues/100#issuecomment-2184046083

so hyped for the lockfile pep!

Because installing outside venvs is dangerous for a number of reasons. To use this footgun, one must understand the consequences very well.

interesting. would you like to describe some examples?

or maybe direct me into somewhere i could learn more?

OS-level software is managed by system package managers. Using an additional/external thing to overwrite those files won't consult the system one and replace parts unconditionally. Other programs that rely on those parts may end up being broken, even said system package manager itself.
You have to know that you'll never ever be relying on whatever's broken (and somehow learn what it broke), or rely on an image that installs additional Python that the system doesn't rely on (or install one yourself, in a separate location). You have to keep this in mind all the time, meaning some extra mental overhead whenever you use the container.

thanks for explaining. hats off for spreading awareness

I forgot to mention that this is why PEP 668 is a thing that pip implements and most distros adopted by now (pip allows overriding it via --break-system-packages) :

• https://peps.python.org/pep-0668/ / https://packaging.python.org/en/latest/specifications/externally-managed-environments/
• https://discuss.python.org/t/pep-668-marking-python-base-environments-as-externally-managed/10302

Note that --user has similar problems isolation-wise (though, not as disasterous for the system).

--user mainly just doesn't have a clear use case.

System package manager for system dependencies, and pipx for tools that aren't packaged for for system. Venvs for development. What's left for the user-global env?

Personally, I like to use --user for quick experiments/scripts that depend on libraries.

Packages installed there will put their binaries in ~/.local/bin where they conflict with pipx, so I prefer one-off venvs or the new script dependency spec

Yeah, I need to learn to use this script dependency stuff, it would probably serve as a replacement.

I converted coverage.py to use trusted publishing, it worked great (and I wrote a small bug report for urllib3 along the way!) I'm confused about the "provenance" step. I didn't see mention of it in the two guides I was semi-following. Do I need it?

it's not needed for trusted publishing

I guessed it wasn't, since I made a release without it!

what is it for? When would I need it?

I think that's for optional SLA build provenance, a way to prove the artifacts were built by this actual workflow

uses this: https://github.com/slsa-framework/slsa-github-generator

GitHub also has a new one that's really easy to use, it generates provenance that you can check via the gh command: https://github.com/actions/attest-build-provenance

so for example, just before you upload your artifacts to PyPI:

    permissions:
      attestations: write
...

      - name: Attest build provenance
        uses: actions/attest-build-provenance@v1
        with:
          subject-path: "dist/*"